zonote allows XSS via crafted note, with resultant Remote Code Execution (because Node.js integration is enabled).
- Download any zonote affected version
- Open zonote app
- Import xss-rce.znt in zonote via Menu > Open
- Hover over the different links in imported notes
- 2020-12-26 Issue discovered and contact with the owner
- 2020-12-26 Owner express his intention of not maintaining the repository nor fixing the vulnerability
- 2021-01-01 Public disclosure of the vulnerability