CVE-2023-38506

Name of the Vulnerable Software and Affected Versions Joplin versions prior to 2.12.10

Description A Cross-site Scripting (XSS) issue in Joplin allows the execution of arbitrary code when pasting untrusted data into the rich text editor. This occurs because HTML pasted into the editor is not properly sanitized, enabling the onload attribute of pasted images to execute arbitrary code. Since the TinyMCE editor frame lacks the sandbox attribute, scripts can access NodeJS's require through the top variable, allowing an attacker to run arbitrary commands.

Recommendations For versions prior to 2.12.10, upgrade to version 2.12.10 or later to resolve the issue. As a temporary workaround, consider disabling the rich text editor feature until a patch is available. Restrict access to untrusted data to minimize the risk of exploitation. Avoid pasting untrusted HTML into the rich text editor until the issue is resolved.