Lucene search

[email protected]NVD:CVE-2024-40643

HistorySep 09, 2024 - 3:15 p.m.

CVE-2024-40643

2024-09-0915:15:11

CWE-79

[email protected]

web.nvd.nist.gov

joplin

note taking

xss vulnerability

CVSS3

9.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

EPSS

0.001

Percentile

37.9%

JSON

Joplin is a free, open source note taking and to-do application. Joplin fails to take into account that “<” followed by a non letter character will not be considered html. As such it is possible to do an XSS by putting an “illegal” tag within a tag.

Affected configurations

Nvd

Node

joplin_projectjoplinRange<3.0.15-

VendorProductVersionCPE
joplin_projectjoplin*cpe:2.3:a:joplin_project:joplin:*:*:*:*:*:-:*:*

Vendor	Product	Version	CPE
joplin_project	joplin	*	cpe:2.3:a:joplin_project:joplin::::::-::*

References

github.com/laurent22/joplin/commit/b220413a9b5ed55fb1f565ac786a5c231da8bc87

github.com/laurent22/joplin/security/advisories/GHSA-g796-3g6g-jmmc

CVSS3

9.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

EPSS

0.001

Percentile

37.9%

JSON

Related for NVD:CVE-2024-40643

cvelist1 vulnrichment1 osv1 cve1