Lucene search

GitHub_MCVELIST:CVE-2024-40643

HistorySep 09, 2024 - 2:28 p.m.

CVE-2024-40643 Joplin has a parsing error leading to Cross-site Scripting (XSS)

2024-09-0914:28:20

CWE-79

GitHub_M

www.cve.org

cve-2024-40643

joplin

parsing error

cross-site scripting

xss

CVSS3

9.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

EPSS

0.001

Percentile

37.9%

JSON

Joplin is a free, open source note taking and to-do application. Joplin fails to take into account that “<” followed by a non letter character will not be considered html. As such it is possible to do an XSS by putting an “illegal” tag within a tag.

CNA Affected

[
  {
    "vendor": "laurent22",
    "product": "joplin",
    "versions": [
      {
        "version": "< 3.0.15",
        "status": "affected"
      }
    ]
  }
]

References

github.com/laurent22/joplin/commit/b220413a9b5ed55fb1f565ac786a5c231da8bc87

github.com/laurent22/joplin/security/advisories/GHSA-g796-3g6g-jmmc

CVSS3

9.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

EPSS

0.001

Percentile

37.9%

JSON

Related for CVELIST:CVE-2024-40643