PT-2024-12661 · Joplin · Joplin

Personalizedrefrigerator

Published

2024-06-21

Updated

2024-06-24

CVE-2023-37898

CVSS v3.1

8.2

High

Vector

AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L

Name of the Vulnerable Software and Affected Versions Joplin versions prior to 2.12.9

Description A Cross-site Scripting (XSS) vulnerability in Joplin allows an untrusted note opened in safe mode to execute arbitrary code. The packages/renderer/MarkupToHtml.ts file renders note content in safe mode without escaping interior HTML tags, enabling an attacker to create a note that closes the opening

 tag and includes HTML that runs JavaScript. Since the rendered markdown iframe has the same origin as the top-level document and is not sandboxed, scripts running in the preview iframe can access the top variable and the toplevel NodeJS require function, allowing the import of modules like fs or child process to run arbitrary commands.
Recommendations
For versions prior to 2.12.9, upgrade to version 2.12.9 or later to address this issue. As a temporary workaround, consider disabling the rendering of notes in safe mode until a patch is available. Restrict access to the packages/renderer/MarkupToHtml.ts module to minimize the risk of exploitation. Avoid using the require function in the affected iframe until the issue is resolved.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2023-37898

GHSA-HJMQ-3QH4-G2R8

Affected Products

Joplin

PT-2024-12661 · Joplin · Joplin

CVE-2023-37898

Weakness Enumeration

Related Identifiers

Affected Products

References · 6