CVE-2022-40277

Name of the Vulnerable Software and Affected Versions Joplin version 2.8.8

Description The issue allows an external attacker to execute arbitrary commands remotely on any client that opens a link in a malicious markdown file. This is possible because the application does not properly validate the schema/protocol of existing links in the markdown file before passing them to the shell.openExternal function.

Recommendations For Joplin version 2.8.8, consider disabling the shell.openExternal function until a patch is available to prevent remote code execution when opening malicious markdown files. Restrict access to markdown files from untrusted sources to minimize the risk of exploitation.