CVE-2023-39517

Name of the Vulnerable Software and Affected Versions Joplin versions prior to 2.12.8

Description A Cross site scripting (XSS) vulnerability in Joplin allows clicking on an untrusted image link to execute arbitrary shell commands. The HTML sanitizer preserves <map> <area> links, but unlike <a> links, the target and href attributes are not removed. This allows links with target set to top to replace the top-level electron page, which can then import child process and execute arbitrary shell commands.

Recommendations For versions prior to 2.12.8, upgrade to release version 2.12.8 or later to fix the issue. As a temporary workaround, consider disabling the packages/renderer/htmlUtils.ts::sanitizeHtml function until a patch is available. Restrict access to untrusted image links to minimize the risk of exploitation. Avoid using the target and href attributes in links until the issue is resolved.