CVE-2024-49362

Name of the Vulnerable Software and Affected Versions Joplin-desktop (affected versions not specified)

Description The issue arises due to insufficient sanitization of <a> tag attributes introduced by the Mermaid, allowing the execution of untrusted HTML content within the Electron window. This enables arbitrary shell command execution when a user clicks on an <a> link within untrusted notes. The markdown preview iframe shares the same origin as its parent and lacks the sandbox attribute, allowing scripts running in the iframe to call Node.js APIs through window.parent.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.