Lucene search

[email protected]CVE-2023-39517

HistoryJun 21, 2024 - 8:15 p.m.

CVE-2023-39517

2024-06-2120:15:12

CWE-79

[email protected]

web.nvd.nist.gov

joplin

xss

vulnerability

shell commands

upgrade

note taking

application

open source

8.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L

7.7 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.7%

JSON

Joplin is a free, open source note taking and to-do application. A Cross site scripting (XSS) vulnerability in affected versions allows clicking on an untrusted image link to execute arbitrary shell commands. The HTML sanitizer (packages/renderer/htmlUtils.ts::sanitizeHtml) preserves <map> <area> links. However, unlike <a> links, the target and href attributes are not removed. Additionally, because the note preview pane isn’t sandboxed to prevent top navigation, links with target set to _top can replace the toplevel electron page. Because any toplevel electron page, with Joplin’s setup, has access to require and can require node libraries, a malicious replacement toplevel page can import child_process and execute arbitrary shell commands. This issue has been fixed in commit 7c52c3e9a81a52ef1b42a951f9deb9d378d59b0f which is included in release version 2.12.8. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Affected configurations

Vulners

Node

laurent22joplinRange<2.12.8

CNA Affected

[
  {
    "vendor": "laurent22",
    "product": "joplin",
    "versions": [
      {
        "version": "< 2.12.8",
        "status": "affected"
      }
    ]
  }
]

References

developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#sandbox

github.com/laurent22/joplin/commit/7c52c3e9a81a52ef1b42a951f9deb9d378d59b0f

github.com/laurent22/joplin/security/advisories/GHSA-2h88-m32f-qh5m