Lucene search

[email protected]CVE-2023-45673

HistoryJun 21, 2024 - 8:15 p.m.

CVE-2023-45673

2024-06-2120:15:12

CWE-94

[email protected]

web.nvd.nist.gov

joplin

note taking

remote code execution

pdf

vulnerability

upgrade

8.9 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L

0.0004 Low

EPSS

Percentile

9.1%

JSON

Joplin is a free, open source note taking and to-do application. A remote code execution (RCE) vulnerability in affected versions allows clicking on a link in a PDF in an untrusted note to execute arbitrary shell commands. Clicking links in PDFs allows for arbitrary code execution because Joplin desktop: 1. has not disabled top redirection for note viewer iframes, and 2. and has node integration enabled. This is a remote code execution vulnerability that impacts anyone who attaches untrusted PDFs to notes and has the icon enabled. This issue has been addressed in version 2.13.3. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Affected configurations

Vulners

Node

laurent22joplinRange<2.13.3

CNA Affected

[
  {
    "vendor": "laurent22",
    "product": "joplin",
    "versions": [
      {
        "version": "< 2.13.3",
        "status": "affected"
      }
    ]
  }
]

References

developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#sandbox

github.com/laurent22/joplin/security/advisories/GHSA-g8qx-5vcm-3x59

8.9 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L

0.0004 Low

EPSS

Percentile

9.1%

JSON

Related for CVE-2023-45673

vulnrichment1 cvelist1 nvd1