Login Sign Up

CVE-2022-28101

9.0 CRITICAL
Cross-Site Scripting

📋 TL;DR

Turtlapp Turtle Note v0.7.2.6 has an HTML injection vulnerability where attackers can inject malicious <meta> tags during markdown parsing. This allows attackers to execute arbitrary HTML in the context of the application, potentially affecting all users who view malicious notes. The vulnerability stems from insufficient input filtering in the markdown parser.

💻 Affected Systems

Products:
  • Turtlapp Turtle Note
Versions: v0.7.2.6
Operating Systems: All platforms running Turtlapp
Default Config Vulnerable: ⚠️ Yes
Notes: All installations using the vulnerable version are affected regardless of configuration.

📦 What is this software?

Turtl by Lyonbros

View all CVEs affecting Turtl →

Turtl by Lyonbros

View all CVEs affecting Turtl →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could execute cross-site scripting (XSS) attacks, steal session cookies, redirect users to malicious sites, or perform actions on behalf of authenticated users.

🟠

Likely Case

Attackers inject malicious HTML content that appears in user notes, potentially leading to phishing attacks, session hijacking, or defacement of note content.

🟢

If Mitigated

With proper input validation and output encoding, the injected HTML would be rendered as plain text rather than executed as code.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires the ability to create or edit notes, but the HTML injection technique is simple and well-documented.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v0.7.2.7 or later

Vendor Advisory: https://github.com/turtl/tracker/issues/404

Restart Required: Yes

Instructions:

1. Download the latest version from the official Turtl repository. 2. Backup your existing installation. 3. Install the updated version. 4. Restart the Turtl service or application.

🔧 Temporary Workarounds

Disable markdown parsing

all

Temporarily disable markdown parsing in Turtl configuration to prevent HTML injection through markdown.

Modify Turtl configuration to set markdown_parsing = false

Content filtering proxy

all

Deploy a web application firewall or proxy that filters <meta> tags and other HTML injection attempts.

🧯 If You Can't Patch

  • Implement strict input validation to filter <meta> tags and other HTML elements in user content
  • Enable Content Security Policy (CSP) headers to restrict script execution

🔍 How to Verify

Check if Vulnerable:

Check if Turtl version is exactly v0.7.2.6. Attempt to create a note containing <meta> tags in markdown and see if they render as HTML.

Check Version:

Check Turtl application settings or about page for version information

Verify Fix Applied:

After updating, test that <meta> tags in markdown are properly escaped and displayed as text rather than executed as HTML.

📡 Detection & Monitoring

Log Indicators:

  • Unusual note creation/editing patterns
  • Log entries containing <meta> tags in user content

Network Indicators:

  • HTTP requests containing <meta> tags in POST data to note endpoints

SIEM Query:

source="turtl_logs" AND ("<meta" OR "html injection")

📊 Metadata

CVE ID: CVE-2022-28101
CVSS v3 Score: 9.0 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
CWE: CWE-79
Published: April 28, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-28101, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)