Lucene search

GitHub_MVULNRICHMENT:CVE-2024-40643

HistorySep 09, 2024 - 2:28 p.m.

CVE-2024-40643 Joplin has a parsing error leading to Cross-site Scripting (XSS)

2024-09-0914:28:20

CWE-79

GitHub_M

github.com

joplin

parsing error

cross-site scripting

CVSS3

9.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

AI Score

6.1

Confidence

High

EPSS

0.001

Percentile

37.9%

SSVC

Exploitation

poc

Automatable

Technical Impact

partial

JSON

Joplin is a free, open source note taking and to-do application. Joplin fails to take into account that “<” followed by a non letter character will not be considered html. As such it is possible to do an XSS by putting an “illegal” tag within a tag.

ADP Affected

[
  {
    "cpes": [
      "cpe:2.3:a:joplinapp:joplin:*:*:*:*:*:node.js:*:*"
    ],
    "vendor": "joplinapp",
    "product": "joplin",
    "versions": [
      {
        "status": "affected",
        "version": "0",
        "lessThan": "3.0.15",
        "versionType": "custom"
      }
    ],
    "defaultStatus": "unknown"
  }
]

References

github.com/laurent22/joplin/commit/b220413a9b5ed55fb1f565ac786a5c231da8bc87

github.com/laurent22/joplin/security/advisories/GHSA-g796-3g6g-jmmc

CVSS3

9.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

AI Score

6.1

Confidence

High

EPSS

0.001

Percentile

37.9%

SSVC

Exploitation

poc

Automatable

Technical Impact

partial

JSON

Related for VULNRICHMENT:CVE-2024-40643