CVE-2018-1000534

Name of the Vulnerable Software and Affected Versions Joplin versions prior to 1.0.90

Description The issue is related to a Cross-site Scripting (XSS) vulnerability that can evolve into code execution due to enabled nodeIntegration for a particular BrowserWindow instance. The XSS was identified in the Note content field. This can result in executing unauthorized code within the rights in which the application is running. The attack appears to be exploitable via a victim synchronizing notes from cloud services or other note-keeping services that contain malicious code.

Recommendations For Joplin versions prior to 1.0.90, update to version 1.0.90 or later to resolve the issue. As a temporary workaround, consider disabling the synchronization of notes from cloud services or other note-keeping services until the update is applied. Restrict access to the Note content field to minimize the risk of exploitation.