Search criteria
12 vulnerabilities by laurent22
CVE-2025-27134 (GCVE-0-2025-27134)
Vulnerability from cvelistv5 – Published: 2025-04-30 14:55 – Updated: 2025-04-30 15:11
VLAI?
Summary
Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. Prior to version 3.3.3, a privilege escalation vulnerability exists in the Joplin server, allowing non-admin users to exploit the API endpoint `PATCH /api/users/:id` to set the `is_admin` field to 1. The vulnerability allows malicious low-privileged users to perform administrative actions without proper authorization. This issue has been patched in version 3.3.3.
Severity ?
8.8 (High)
CWE
- CWE-284 - Improper Access Control
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-27134",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-30T15:11:08.488746Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-30T15:11:12.895Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/laurent22/joplin/security/advisories/GHSA-xj67-649m-3p8x"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "joplin",
"vendor": "laurent22",
"versions": [
{
"status": "affected",
"version": "\u003c 3.3.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. Prior to version 3.3.3, a privilege escalation vulnerability exists in the Joplin server, allowing non-admin users to exploit the API endpoint `PATCH /api/users/:id` to set the `is_admin` field to 1. The vulnerability allows malicious low-privileged users to perform administrative actions without proper authorization. This issue has been patched in version 3.3.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-30T14:55:10.285Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/laurent22/joplin/security/advisories/GHSA-xj67-649m-3p8x",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/laurent22/joplin/security/advisories/GHSA-xj67-649m-3p8x"
},
{
"name": "https://github.com/laurent22/joplin/commit/12baa9827dac9da903f244c9f358e3deb264e228",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/laurent22/joplin/commit/12baa9827dac9da903f244c9f358e3deb264e228"
}
],
"source": {
"advisory": "GHSA-xj67-649m-3p8x",
"discovery": "UNKNOWN"
},
"title": "Privilege escalation in Joplin server via user patch endpoint"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-27134",
"datePublished": "2025-04-30T14:55:10.285Z",
"dateReserved": "2025-02-19T16:30:47.774Z",
"dateUpdated": "2025-04-30T15:11:12.895Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-27409 (GCVE-0-2025-27409)
Vulnerability from cvelistv5 – Published: 2025-04-30 14:55 – Updated: 2025-04-30 15:11
VLAI?
Summary
Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. Prior to version 3.3.3, path traversal is possible in Joplin Server if static file path starts with `css/pluginAssets` or `js/pluginAssets`. The `findLocalFile` function in the `default route` calls `localFileFromUrl` to check for special `pluginAssets` paths. If the function returns a path, the result is returned directly, without checking for path traversal. The vulnerability allows attackers to read files outside the intended directories. This issue has been patched in version 3.3.3.
Severity ?
7.5 (High)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-27409",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-30T15:11:55.959723Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-30T15:11:59.209Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/laurent22/joplin/security/advisories/GHSA-5xv6-7jm3-fmg5"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "joplin",
"vendor": "laurent22",
"versions": [
{
"status": "affected",
"version": "\u003c 3.3.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. Prior to version 3.3.3, path traversal is possible in Joplin Server if static file path starts with `css/pluginAssets` or `js/pluginAssets`. The `findLocalFile` function in the `default route` calls `localFileFromUrl` to check for special `pluginAssets` paths. If the function returns a path, the result is returned directly, without checking for path traversal. The vulnerability allows attackers to read files outside the intended directories. This issue has been patched in version 3.3.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-30T14:55:07.846Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/laurent22/joplin/security/advisories/GHSA-5xv6-7jm3-fmg5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/laurent22/joplin/security/advisories/GHSA-5xv6-7jm3-fmg5"
},
{
"name": "https://github.com/laurent22/joplin/pull/11916",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/laurent22/joplin/pull/11916"
}
],
"source": {
"advisory": "GHSA-5xv6-7jm3-fmg5",
"discovery": "UNKNOWN"
},
"title": "Joplin Server Vulnerable to Path Traversal"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-27409",
"datePublished": "2025-04-30T14:55:07.846Z",
"dateReserved": "2025-02-24T15:51:17.268Z",
"dateUpdated": "2025-04-30T15:11:59.209Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-25187 (GCVE-0-2025-25187)
Vulnerability from cvelistv5 – Published: 2025-02-07 22:38 – Updated: 2025-02-10 17:15
VLAI?
Summary
Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. This vulnerability is caused by adding note titles to the document using React's `dangerouslySetInnerHTML`, without first escaping HTML entities. Joplin lacks a Content-Security-Policy with a restrictive `script-src`. This allows arbitrary JavaScript execution via inline `onclick`/`onload` event handlers in unsanitized HTML. Additionally, Joplin's main window is created with `nodeIntegration` set to `true`, allowing arbitrary JavaScript execution to result in arbitrary code execution. Anyone who 1) receives notes from unknown sources and 2) uses <kbd>ctrl</kbd>-<kbd>p</kbd> to search is impacted. This issue has been addressed in version 3.1.24 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity ?
7.8 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-25187",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-10T17:14:00.437337Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-10T17:15:09.979Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/laurent22/joplin/security/advisories/GHSA-9gfv-q6wj-fr3c"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "joplin",
"vendor": "laurent22",
"versions": [
{
"status": "affected",
"version": "\u003c 3.1.24"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. This vulnerability is caused by adding note titles to the document using React\u0027s `dangerouslySetInnerHTML`, without first escaping HTML entities. Joplin lacks a Content-Security-Policy with a restrictive `script-src`. This allows arbitrary JavaScript execution via inline `onclick`/`onload` event handlers in unsanitized HTML. Additionally, Joplin\u0027s main window is created with `nodeIntegration` set to `true`, allowing arbitrary JavaScript execution to result in arbitrary code execution. Anyone who 1) receives notes from unknown sources and 2) uses \u003ckbd\u003ectrl\u003c/kbd\u003e-\u003ckbd\u003ep\u003c/kbd\u003e to search is impacted. This issue has been addressed in version 3.1.24 and all users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-07T22:38:20.068Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/laurent22/joplin/security/advisories/GHSA-9gfv-q6wj-fr3c",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/laurent22/joplin/security/advisories/GHSA-9gfv-q6wj-fr3c"
},
{
"name": "https://github.com/laurent22/joplin/commit/360ece6f8873ef81afbfb98b25faad696ffccdb6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/laurent22/joplin/commit/360ece6f8873ef81afbfb98b25faad696ffccdb6"
},
{
"name": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src",
"tags": [
"x_refsource_MISC"
],
"url": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src"
},
{
"name": "https://github.com/laurent22/joplin/blob/2fc9bd476b0d9abcddb0a46f615a48333779d225/packages/app-desktop/plugins/GotoAnything.tsx#L558",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/laurent22/joplin/blob/2fc9bd476b0d9abcddb0a46f615a48333779d225/packages/app-desktop/plugins/GotoAnything.tsx#L558"
}
],
"source": {
"advisory": "GHSA-9gfv-q6wj-fr3c",
"discovery": "UNKNOWN"
},
"title": "Cross-site Scripting in Goto Anything allows arbitrary code execution in Joplin"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-25187",
"datePublished": "2025-02-07T22:38:20.068Z",
"dateReserved": "2025-02-03T19:30:53.399Z",
"dateUpdated": "2025-02-10T17:15:09.979Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-24028 (GCVE-0-2025-24028)
Vulnerability from cvelistv5 – Published: 2025-02-07 22:23 – Updated: 2025-02-10 17:17
VLAI?
Summary
Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. This vulnerability is caused by differences between how Joplin's HTML sanitizer handles comments and how the browser handles comments. This affects both the Rich Text Editor and the Markdown viewer. However, unlike the Rich Text Editor, the Markdown viewer is `cross-origin isolated`, which prevents JavaScript from directly accessing functions/variables in the toplevel Joplin `window`. This issue is not present in Joplin 3.1.24 and may have been introduced in `9b50539`. This is an XSS vulnerability that impacts users that open untrusted notes in the Rich Text Editor. This vulnerability has been addressed in version 3.2.12 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity ?
7.8 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-24028",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-10T17:17:07.855594Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-10T17:17:41.159Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/laurent22/joplin/security/advisories/GHSA-5w3c-wph9-hq92"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "joplin",
"vendor": "laurent22",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.2.6, \u003c 3.2.12"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. This vulnerability is caused by differences between how Joplin\u0027s HTML sanitizer handles comments and how the browser handles comments. This affects both the Rich Text Editor and the Markdown viewer. However, unlike the Rich Text Editor, the Markdown viewer is `cross-origin isolated`, which prevents JavaScript from directly accessing functions/variables in the toplevel Joplin `window`. This issue is not present in Joplin 3.1.24 and may have been introduced in `9b50539`. This is an XSS vulnerability that impacts users that open untrusted notes in the Rich Text Editor. This vulnerability has been addressed in version 3.2.12 and all users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-07T22:23:07.275Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/laurent22/joplin/security/advisories/GHSA-5w3c-wph9-hq92",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/laurent22/joplin/security/advisories/GHSA-5w3c-wph9-hq92"
},
{
"name": "https://github.com/laurent22/joplin/commit/2a058ed8097c2502e152b26394dc1917897f5817",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/laurent22/joplin/commit/2a058ed8097c2502e152b26394dc1917897f5817"
},
{
"name": "https://github.com/laurent22/joplin/commit/9b505395918bc923f34fe6f3b960bb10e8cf234e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/laurent22/joplin/commit/9b505395918bc923f34fe6f3b960bb10e8cf234e"
},
{
"name": "https://joplinapp.org/help/dev/spec/note_viewer_isolation",
"tags": [
"x_refsource_MISC"
],
"url": "https://joplinapp.org/help/dev/spec/note_viewer_isolation"
}
],
"source": {
"advisory": "GHSA-5w3c-wph9-hq92",
"discovery": "UNKNOWN"
},
"title": "Cross-site Scripting (XSS) in Rich Text Editor allows arbitrary code execution in Joplin"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-24028",
"datePublished": "2025-02-07T22:23:07.275Z",
"dateReserved": "2025-01-16T17:31:06.460Z",
"dateUpdated": "2025-02-10T17:17:41.159Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-55630 (GCVE-0-2024-55630)
Vulnerability from cvelistv5 – Published: 2025-02-07 22:23 – Updated: 2025-02-10 17:18
VLAI?
Summary
Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. Joplin's HTML sanitizer allows the `name` attribute to be specified. If `name` is set to the same value as an existing `document` property (e.g. `querySelector`), that property is replaced with the element. This vulnerability's only known impact is denial of service. The note viewer fails to refresh until closed and re-opened with a different note. This issue has been addressed in version 3.2.8 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity ?
CWE
- CWE-20 - Improper Input Validation
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-55630",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-10T17:18:30.584649Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-10T17:18:47.395Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/laurent22/joplin/security/advisories/GHSA-5cch-jr52-qffh"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "joplin",
"vendor": "laurent22",
"versions": [
{
"status": "affected",
"version": "\u003c 3.2.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. Joplin\u0027s HTML sanitizer allows the `name` attribute to be specified. If `name` is set to the same value as an existing `document` property (e.g. `querySelector`), that property is replaced with the element. This vulnerability\u0027s only known impact is denial of service. The note viewer fails to refresh until closed and re-opened with a different note. This issue has been addressed in version 3.2.8 and all users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 3.3,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-07T22:23:04.109Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/laurent22/joplin/security/advisories/GHSA-5cch-jr52-qffh",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/laurent22/joplin/security/advisories/GHSA-5cch-jr52-qffh"
},
{
"name": "https://github.com/laurent22/joplin/commit/e70efcbd60ce62f06e77c183b362c74e636c02d9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/laurent22/joplin/commit/e70efcbd60ce62f06e77c183b362c74e636c02d9"
},
{
"name": "https://en.wikipedia.org/wiki/DOM_clobbering",
"tags": [
"x_refsource_MISC"
],
"url": "https://en.wikipedia.org/wiki/DOM_clobbering"
}
],
"source": {
"advisory": "GHSA-5cch-jr52-qffh",
"discovery": "UNKNOWN"
},
"title": "DOM Clobbering leads to temporary DOS in the note viewer in Joplin"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-55630",
"datePublished": "2025-02-07T22:23:04.109Z",
"dateReserved": "2024-12-09T17:48:05.557Z",
"dateUpdated": "2025-02-10T17:18:47.395Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-53268 (GCVE-0-2024-53268)
Vulnerability from cvelistv5 – Published: 2024-11-25 19:22 – Updated: 2024-11-25 19:38
VLAI?
Summary
Joplin is an open source, privacy-focused note taking app with sync capabilities for Windows, macOS, Linux, Android and iOS. In affected versions attackers are able to abuse the fact that openExternal is used without any filtering of URI schemes to obtain remote code execution in Windows environments. This issue has been addressed in version 3.0.3 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity ?
7.3 (High)
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:laurent_22:joplin:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "joplin",
"vendor": "laurent_22",
"versions": [
{
"lessThan": "3.0.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-53268",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-25T19:35:21.372405Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-25T19:38:18.292Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "joplin",
"vendor": "laurent22",
"versions": [
{
"status": "affected",
"version": "\u003c 3.0.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Joplin is an open source, privacy-focused note taking app with sync capabilities for Windows, macOS, Linux, Android and iOS. In affected versions attackers are able to abuse the fact that openExternal is used without any filtering of URI schemes to obtain remote code execution in Windows environments. This issue has been addressed in version 3.0.3 and all users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-25T19:22:17.131Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/laurent22/joplin/security/advisories/GHSA-pc5v-xp44-5mgv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/laurent22/joplin/security/advisories/GHSA-pc5v-xp44-5mgv"
}
],
"source": {
"advisory": "GHSA-pc5v-xp44-5mgv",
"discovery": "UNKNOWN"
},
"title": "Lack of validation on openExternal allows 1 click remote code execution in joplin"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-53268",
"datePublished": "2024-11-25T19:22:17.131Z",
"dateReserved": "2024-11-19T20:08:14.481Z",
"dateUpdated": "2024-11-25T19:38:18.292Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-49362 (GCVE-0-2024-49362)
Vulnerability from cvelistv5 – Published: 2024-11-14 17:37 – Updated: 2024-11-14 21:39
VLAI?
Summary
Joplin is a free, open source note taking and to-do application. Joplin-desktop has a vulnerability that leads to remote code execution (RCE) when a user clicks on an <a> link within untrusted notes. The issue arises due to insufficient sanitization of <a> tag attributes introduced by the Mermaid. This vulnerability allows the execution of untrusted HTML content within the Electron window, which has full access to Node.js APIs, enabling arbitrary shell command execution.
Severity ?
7.7 (High)
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:joplinapp:joplin:*:*:*:*:*:node.js:*:*"
],
"defaultStatus": "unknown",
"product": "joplin",
"vendor": "joplinapp",
"versions": [
{
"lessThan": "3.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-49362",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-14T21:38:47.636782Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-14T21:39:43.794Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "joplin",
"vendor": "laurent22",
"versions": [
{
"status": "affected",
"version": "\u003c 3.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Joplin is a free, open source note taking and to-do application. Joplin-desktop has a vulnerability that leads to remote code execution (RCE) when a user clicks on an \u003ca\u003e link within untrusted notes. The issue arises due to insufficient sanitization of \u003ca\u003e tag attributes introduced by the Mermaid. This vulnerability allows the execution of untrusted HTML content within the Electron window, which has full access to Node.js APIs, enabling arbitrary shell command execution."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-14T17:37:09.700Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/laurent22/joplin/security/advisories/GHSA-hff8-hjwv-j9q7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/laurent22/joplin/security/advisories/GHSA-hff8-hjwv-j9q7"
}
],
"source": {
"advisory": "GHSA-hff8-hjwv-j9q7",
"discovery": "UNKNOWN"
},
"title": "Remote Code Execution on click of \u003ca\u003e Link in markdown preview"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-49362",
"datePublished": "2024-11-14T17:37:09.700Z",
"dateReserved": "2024-10-14T13:56:34.810Z",
"dateUpdated": "2024-11-14T21:39:43.794Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-40643 (GCVE-0-2024-40643)
Vulnerability from cvelistv5 – Published: 2024-09-09 14:28 – Updated: 2024-09-09 14:52
VLAI?
Summary
Joplin is a free, open source note taking and to-do application. Joplin fails to take into account that "<" followed by a non letter character will not be considered html. As such it is possible to do an XSS by putting an "illegal" tag within a tag.
Severity ?
9.7 (Critical)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:joplinapp:joplin:*:*:*:*:*:node.js:*:*"
],
"defaultStatus": "unknown",
"product": "joplin",
"vendor": "joplinapp",
"versions": [
{
"lessThan": "3.0.15",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-40643",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-09T14:51:10.576198Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-09T14:52:47.111Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "joplin",
"vendor": "laurent22",
"versions": [
{
"status": "affected",
"version": "\u003c 3.0.15"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Joplin is a free, open source note taking and to-do application. Joplin fails to take into account that \"\u003c\" followed by a non letter character will not be considered html. As such it is possible to do an XSS by putting an \"illegal\" tag within a tag."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.7,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-09T14:28:20.920Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/laurent22/joplin/security/advisories/GHSA-g796-3g6g-jmmc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/laurent22/joplin/security/advisories/GHSA-g796-3g6g-jmmc"
},
{
"name": "https://github.com/laurent22/joplin/commit/b220413a9b5ed55fb1f565ac786a5c231da8bc87",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/laurent22/joplin/commit/b220413a9b5ed55fb1f565ac786a5c231da8bc87"
}
],
"source": {
"advisory": "GHSA-g796-3g6g-jmmc",
"discovery": "UNKNOWN"
},
"title": "Joplin has a parsing error leading to Cross-site Scripting (XSS)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-40643",
"datePublished": "2024-09-09T14:28:20.920Z",
"dateReserved": "2024-07-08T16:13:15.512Z",
"dateUpdated": "2024-09-09T14:52:47.111Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-37898 (GCVE-0-2023-37898)
Vulnerability from cvelistv5 – Published: 2024-06-21 19:45 – Updated: 2024-08-02 17:23
VLAI?
Summary
Joplin is a free, open source note taking and to-do application. A Cross-site Scripting (XSS) vulnerability allows an untrusted note opened in safe mode to execute arbitrary code. `packages/renderer/MarkupToHtml.ts` renders note content in safe mode by surrounding it with <pre> and </pre>, without escaping any interior HTML tags. Thus, an attacker can create a note that closes the opening <pre> tag, then includes HTML that runs JavaScript. Because the rendered markdown iframe has the same origin as the toplevel document and is not sandboxed, any scripts running in the preview iframe can access the top variable and, thus, access the toplevel NodeJS `require` function. `require` can then be used to import modules like fs or child_process and run arbitrary commands. This issue has been addressed in version 2.12.9 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity ?
8.2 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:laurent_22:joplin:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "joplin",
"vendor": "laurent_22",
"versions": [
{
"lessThan": "2.12.9",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-37898",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-02T20:15:32.988834Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-02T20:16:59.210Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T17:23:27.755Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/laurent22/joplin/security/advisories/GHSA-hjmq-3qh4-g2r8",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/laurent22/joplin/security/advisories/GHSA-hjmq-3qh4-g2r8"
},
{
"name": "https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#sandbox",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#sandbox"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "joplin",
"vendor": "laurent22",
"versions": [
{
"status": "affected",
"version": "\u003c 2.12.9"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Joplin is a free, open source note taking and to-do application. A Cross-site Scripting (XSS) vulnerability allows an untrusted note opened in safe mode to execute arbitrary code. `packages/renderer/MarkupToHtml.ts` renders note content in safe mode by surrounding it with \u003cpre\u003e and \u003c/pre\u003e, without escaping any interior HTML tags. Thus, an attacker can create a note that closes the opening \u003cpre\u003e tag, then includes HTML that runs JavaScript. Because the rendered markdown iframe has the same origin as the toplevel document and is not sandboxed, any scripts running in the preview iframe can access the top variable and, thus, access the toplevel NodeJS `require` function. `require` can then be used to import modules like fs or child_process and run arbitrary commands. This issue has been addressed in version 2.12.9 and all users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-21T19:45:19.982Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/laurent22/joplin/security/advisories/GHSA-hjmq-3qh4-g2r8",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/laurent22/joplin/security/advisories/GHSA-hjmq-3qh4-g2r8"
},
{
"name": "https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#sandbox",
"tags": [
"x_refsource_MISC"
],
"url": "https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#sandbox"
}
],
"source": {
"advisory": "GHSA-hjmq-3qh4-g2r8",
"discovery": "UNKNOWN"
},
"title": "Safe mode Cross-site Scripting (XSS) vulnerability in Joplin"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-37898",
"datePublished": "2024-06-21T19:45:19.982Z",
"dateReserved": "2023-07-10T17:51:29.610Z",
"dateUpdated": "2024-08-02T17:23:27.755Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-38506 (GCVE-0-2023-38506)
Vulnerability from cvelistv5 – Published: 2024-06-21 19:43 – Updated: 2024-08-02 17:46
VLAI?
Summary
Joplin is a free, open source note taking and to-do application. A Cross-site Scripting (XSS) vulnerability allows pasting untrusted data into the rich text editor to execute arbitrary code. HTML pasted into the rich text editor is not sanitized (or not sanitized properly). As such, the `onload` attribute of pasted images can execute arbitrary code. Because the TinyMCE editor frame does not use the `sandbox` attribute, such scripts can access NodeJS's `require` through the `top` variable. From this, an attacker can run arbitrary commands. This issue has been addressed in version 2.12.10 and users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity ?
8.2 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:joplin_project:joplin:0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "joplin",
"vendor": "joplin_project",
"versions": [
{
"lessThan": "2.12.10",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-38506",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-24T13:57:21.359902Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-24T14:03:04.363Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T17:46:55.757Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/laurent22/joplin/security/advisories/GHSA-m59c-9rrj-c399",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/laurent22/joplin/security/advisories/GHSA-m59c-9rrj-c399"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "joplin",
"vendor": "laurent22",
"versions": [
{
"status": "affected",
"version": "\u003c 2.12.10"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Joplin is a free, open source note taking and to-do application. A Cross-site Scripting (XSS) vulnerability allows pasting untrusted data into the rich text editor to execute arbitrary code. HTML pasted into the rich text editor is not sanitized (or not sanitized properly). As such, the `onload` attribute of pasted images can execute arbitrary code. Because the TinyMCE editor frame does not use the `sandbox` attribute, such scripts can access NodeJS\u0027s `require` through the `top` variable. From this, an attacker can run arbitrary commands. This issue has been addressed in version 2.12.10 and users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-21T19:43:24.161Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/laurent22/joplin/security/advisories/GHSA-m59c-9rrj-c399",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/laurent22/joplin/security/advisories/GHSA-m59c-9rrj-c399"
}
],
"source": {
"advisory": "GHSA-m59c-9rrj-c399",
"discovery": "UNKNOWN"
},
"title": "Cross-site Scripting (XSS) when pasting HTML into the rich text editor in Joplin"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-38506",
"datePublished": "2024-06-21T19:43:24.161Z",
"dateReserved": "2023-07-18T16:28:12.077Z",
"dateUpdated": "2024-08-02T17:46:55.757Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-39517 (GCVE-0-2023-39517)
Vulnerability from cvelistv5 – Published: 2024-06-21 19:41 – Updated: 2024-08-02 18:10
VLAI?
Summary
Joplin is a free, open source note taking and to-do application. A Cross site scripting (XSS) vulnerability in affected versions allows clicking on an untrusted image link to execute arbitrary shell commands. The HTML sanitizer (`packages/renderer/htmlUtils.ts::sanitizeHtml`) preserves `<map>` `<area>` links. However, unlike `<a>` links, the `target` and `href` attributes are not removed. Additionally, because the note preview pane isn't sandboxed to prevent top navigation, links with `target` set to `_top` can replace the toplevel electron page. Because any toplevel electron page, with Joplin's setup, has access to `require` and can require node libraries, a malicious replacement toplevel page can import `child_process` and execute arbitrary shell commands. This issue has been fixed in commit 7c52c3e9a81a52ef1b42a951f9deb9d378d59b0f which is included in release version 2.12.8. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity ?
8.2 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-39517",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-24T14:08:13.318984Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-24T14:08:38.720Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:10:21.108Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/laurent22/joplin/security/advisories/GHSA-2h88-m32f-qh5m",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/laurent22/joplin/security/advisories/GHSA-2h88-m32f-qh5m"
},
{
"name": "https://github.com/laurent22/joplin/commit/7c52c3e9a81a52ef1b42a951f9deb9d378d59b0f",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/laurent22/joplin/commit/7c52c3e9a81a52ef1b42a951f9deb9d378d59b0f"
},
{
"name": "https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#sandbox",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#sandbox"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "joplin",
"vendor": "laurent22",
"versions": [
{
"status": "affected",
"version": "\u003c 2.12.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Joplin is a free, open source note taking and to-do application. A Cross site scripting (XSS) vulnerability in affected versions allows clicking on an untrusted image link to execute arbitrary shell commands. The HTML sanitizer (`packages/renderer/htmlUtils.ts::sanitizeHtml`) preserves `\u003cmap\u003e` `\u003carea\u003e` links. However, unlike `\u003ca\u003e` links, the `target` and `href` attributes are not removed. Additionally, because the note preview pane isn\u0027t sandboxed to prevent top navigation, links with `target` set to `_top` can replace the toplevel electron page. Because any toplevel electron page, with Joplin\u0027s setup, has access to `require` and can require node libraries, a malicious replacement toplevel page can import `child_process` and execute arbitrary shell commands. This issue has been fixed in commit 7c52c3e9a81a52ef1b42a951f9deb9d378d59b0f which is included in release version 2.12.8. Users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-21T19:41:48.945Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/laurent22/joplin/security/advisories/GHSA-2h88-m32f-qh5m",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/laurent22/joplin/security/advisories/GHSA-2h88-m32f-qh5m"
},
{
"name": "https://github.com/laurent22/joplin/commit/7c52c3e9a81a52ef1b42a951f9deb9d378d59b0f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/laurent22/joplin/commit/7c52c3e9a81a52ef1b42a951f9deb9d378d59b0f"
},
{
"name": "https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#sandbox",
"tags": [
"x_refsource_MISC"
],
"url": "https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#sandbox"
}
],
"source": {
"advisory": "GHSA-2h88-m32f-qh5m",
"discovery": "UNKNOWN"
},
"title": "Cross site scripting (XSS) when clicking on an untrusted `\u003cmap\u003e` link in Joplin"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-39517",
"datePublished": "2024-06-21T19:41:48.945Z",
"dateReserved": "2023-08-03T16:27:36.261Z",
"dateUpdated": "2024-08-02T18:10:21.108Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-45673 (GCVE-0-2023-45673)
Vulnerability from cvelistv5 – Published: 2024-06-21 19:38 – Updated: 2024-08-02 20:21
VLAI?
Summary
Joplin is a free, open source note taking and to-do application. A remote code execution (RCE) vulnerability in affected versions allows clicking on a link in a PDF in an untrusted note to execute arbitrary shell commands. Clicking links in PDFs allows for arbitrary code execution because Joplin desktop: 1. has not disabled top redirection for note viewer iframes, and 2. and has node integration enabled. This is a remote code execution vulnerability that impacts anyone who attaches untrusted PDFs to notes and has the icon enabled. This issue has been addressed in version 2.13.3. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity ?
8.9 (High)
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:laurent_22:joplin:2.13.3:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "joplin",
"vendor": "laurent_22",
"versions": [
{
"lessThan": "2.13.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-45673",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-22T16:30:51.519648Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-22T16:33:49.672Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:21:16.844Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/laurent22/joplin/security/advisories/GHSA-g8qx-5vcm-3x59",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/laurent22/joplin/security/advisories/GHSA-g8qx-5vcm-3x59"
},
{
"name": "https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#sandbox",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#sandbox"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "joplin",
"vendor": "laurent22",
"versions": [
{
"status": "affected",
"version": "\u003c 2.13.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Joplin is a free, open source note taking and to-do application. A remote code execution (RCE) vulnerability in affected versions allows clicking on a link in a PDF in an untrusted note to execute arbitrary shell commands. Clicking links in PDFs allows for arbitrary code execution because Joplin desktop: 1. has not disabled top redirection for note viewer iframes, and 2. and has node integration enabled. This is a remote code execution vulnerability that impacts anyone who attaches untrusted PDFs to notes and has the icon enabled. This issue has been addressed in version 2.13.3. Users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.9,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-21T19:38:22.764Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/laurent22/joplin/security/advisories/GHSA-g8qx-5vcm-3x59",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/laurent22/joplin/security/advisories/GHSA-g8qx-5vcm-3x59"
},
{
"name": "https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#sandbox",
"tags": [
"x_refsource_MISC"
],
"url": "https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#sandbox"
}
],
"source": {
"advisory": "GHSA-g8qx-5vcm-3x59",
"discovery": "UNKNOWN"
},
"title": "Arbitrary code execution on click of PDF links in Joplin"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-45673",
"datePublished": "2024-06-21T19:38:22.764Z",
"dateReserved": "2023-10-10T14:36:40.861Z",
"dateUpdated": "2024-08-02T20:21:16.844Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}