Joplin vulnerable to Cross-site Scripting (XSS) attack
CVE-2023-38506

5.4MEDIUM

Key Information:

Vendor: Laurent22
Status: Joplin
Vendor: CVE Published:; 21 June 2024

What is CVE-2023-38506?

Joplin, an open-source note taking and to-do application, is susceptible to a Cross-site Scripting (XSS) vulnerability where untrusted data can be pasted into the rich text editor without proper sanitization. This issue arises specifically when HTML content, including images with onload attributes, is inserted into the editor. As a result, it allows attackers to execute arbitrary code which can compromise the system, especially since the TinyMCE editor frame does not utilize the sandbox attribute. The vulnerability enables potential exploitation of NodeJS's require method through the top variable, thus exposing the application to serious security threats. Users are urged to upgrade to version 2.12.10 to mitigate this risk, as there are currently no known workarounds.

Affected Version(s)

joplin < 2.12.10

References

https://github.com/laurent22/joplin/security/advisories/G...

x_refsource_CONFIRM

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 21, 2024

Laurent22

What is CVE-2023-38506?

Affected Version(s)

References

CVSS V3.1

Timeline