CVE-2023-45673

Name of the Vulnerable Software and Affected Versions Joplin versions prior to 2.13.3

Description A remote code execution issue in Joplin allows arbitrary shell commands to be executed when a user clicks on a link in a PDF within an untrusted note. This occurs because Joplin desktop has not disabled top redirection for note viewer iframes and has node integration enabled. The issue impacts users who attach untrusted PDFs to notes and have the icon enabled.

Recommendations For versions prior to 2.13.3, upgrade to version 2.13.3 to resolve the issue. As a temporary workaround, consider disabling the node integration or restricting the ability to click on links in PDFs within notes until the upgrade can be applied. Avoid using the note viewer iframe with untrusted notes until the issue is resolved.