Skip to content

Joplin Vulnerable to Cross-site Scripting in Note Content

Moderate severity GitHub Reviewed Published May 14, 2022 to the GitHub Advisory Database • Updated Apr 23, 2024

Package

npm joplin (npm)

Affected versions

< 1.0.90

Patched versions

1.0.90

Description

Joplin version prior to 1.0.90 contains a Cross-site Scripting (XSS) evolving into code execution due to enabled nodeIntegration for that particular BrowserWindow instance where XSS was identified from vulnerability in Note content field - information on the fix can be found here laurent22/joplin@494e235 that can result in executing unauthorized code within the rights in which the application is running. This attack appear to be exploitable via Victim synchronizing notes from the cloud services or other note-keeping services which contain malicious code. This vulnerability appears to have been fixed in 1.0.90 and later.

References

Published by the National Vulnerability Database Jun 26, 2018
Published to the GitHub Advisory Database May 14, 2022
Last updated Apr 23, 2024
Reviewed Apr 23, 2024

Severity

Moderate
6.1
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Weaknesses

CVE ID

CVE-2018-1000534

GHSA ID

GHSA-m6mf-hmrh-ph4j

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.