Back

CVE-2023-38506

June 21, 2024, 8:15 p.m.

Received
CVE has been recently published to the CVE List and has been received by the NVD.

Products

Joplin

  • 2.12.10 and above

Source

security-advisories@github.com

Tags

security-advisories@github.com
CWE-79
2024-06-21
CVE-2023-38506

CVE-2023-38506 details

Published : June 21, 2024, 8:15 p.m.
Last Modified : June 21, 2024, 8:15 p.m.

Description

Joplin is a free, open source note taking and to-do application. A Cross-site Scripting (XSS) vulnerability allows pasting untrusted data into the rich text editor to execute arbitrary code. HTML pasted into the rich text editor is not sanitized (or not sanitized properly). As such, the `onload` attribute of pasted images can execute arbitrary code. Because the TinyMCE editor frame does not use the `sandbox` attribute, such scripts can access NodeJS's `require` through the `top` variable. From this, an attacker can run arbitrary commands. This issue has been addressed in version 2.12.10 and users are advised to upgrade. There are no known workarounds for this vulnerability.

CVSS Score

1 2 3 4 5 6 7 8.2 9 10

Weakness

Weakness Name Description
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

CVSS Data

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

LOW

Base Score

8.2

Exploitability Score

2.3

Impact Score

5.3

Base Severity

HIGH

Vector String : CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L

References

URL Source
https://github.com/laurent22/joplin/security/advisories/GHSA-m59c-9rrj-c399 security-advisories@github.com
This website uses the NVD API, but is not approved or certified by it.