Lucene search

GitHub_MCVE-2024-40643

HistorySep 09, 2024 - 3:15 p.m.

CVE-2024-40643

2024-09-0915:15:11

CWE-79

GitHub_M

web.nvd.nist.gov

joplin

note-taking

vulnerability

xss

html

open source

CVSS3

9.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

AI Score

9.1

Confidence

High

EPSS

0.001

Percentile

37.9%

JSON

Joplin is a free, open source note taking and to-do application. Joplin fails to take into account that “<” followed by a non letter character will not be considered html. As such it is possible to do an XSS by putting an “illegal” tag within a tag.

Affected configurations

Nvd

Vulners

Vulnrichment

Node

joplin_projectjoplinRange<3.0.15-

VendorProductVersionCPE
joplin_projectjoplin*cpe:2.3:a:joplin_project:joplin:*:*:*:*:*:-:*:*

Vendor	Product	Version	CPE
joplin_project	joplin	*	cpe:2.3:a:joplin_project:joplin::::::-::*

CNA Affected

[
  {
    "vendor": "laurent22",
    "product": "joplin",
    "versions": [
      {
        "version": "< 3.0.15",
        "status": "affected"
      }
    ]
  }
]

References

github.com/laurent22/joplin/commit/b220413a9b5ed55fb1f565ac786a5c231da8bc87

github.com/laurent22/joplin/security/advisories/GHSA-g796-3g6g-jmmc

CVSS3

9.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

AI Score

9.1

Confidence

High

EPSS

0.001

Percentile

37.9%

JSON

Related for CVE-2024-40643