Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Joplin
(Joplin_project)| Repositories | https://github.com/laurent22/joplin |
| #Vulnerabilities | 16 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2020-11-06 | CVE-2020-28249 | Joplin 1.2.6 for Desktop allows XSS via a LINK element in a note. | Joplin | 6.1 | ||
| 2021-08-03 | CVE-2021-37916 | Joplin before 2.0.9 allows XSS via button and form in the note body. | Joplin | 6.1 | ||
| 2022-02-08 | CVE-2022-23340 | Joplin 2.6.10 allows remote attackers to execute system commands through malicious code in user search results. | Joplin | 9.8 | ||
| 2022-06-16 | CVE-2021-33295 | Cross Site Scripting (XSS) vulnerability in Joplin Desktop App before 1.8.5 allows attackers to execute aribrary code due to improper sanitizing of html. | Joplin | 5.4 | ||
| 2023-01-31 | CVE-2022-45598 | Cross Site Scripting vulnerability in Joplin Desktop App before v2.9.17 allows attacker to execute arbitrary code via improper santization. | Joplin | 6.1 | ||
| 2023-06-30 | CVE-2023-37298 | Joplin before 2.11.5 allows XSS via a USE element in an SVG document. | Joplin | 6.1 | ||
| 2023-06-30 | CVE-2023-37299 | Joplin before 2.11.5 allows XSS via an AREA element of an image map. | Joplin | 6.1 | ||
| 2024-06-21 | CVE-2023-39517 | Joplin is a free, open source note taking and to-do application. A Cross site scripting (XSS) vulnerability in affected versions allows clicking on an untrusted image link to execute arbitrary shell commands. The HTML sanitizer (`packages/renderer/htmlUtils.ts::sanitizeHtml`) preserves `<map>` `<area>` links. However, unlike `<a>` links, the `target` and `href` attributes are not removed. Additionally, because the note preview pane isn't sandboxed to prevent top navigation, links with... | Joplin | 5.4 | ||
| 2024-09-09 | CVE-2024-40643 | Joplin is a free, open source note taking and to-do application. Joplin fails to take into account that "<" followed by a non letter character will not be considered html. As such it is possible to do an XSS by putting an "illegal" tag within a tag. | Joplin | 9.6 | ||
| 2018-06-26 | CVE-2018-1000534 | Joplin version prior to 1.0.90 contains a XSS evolving into code execution due to enabled nodeIntegration for that particular BrowserWindow instance where XSS was identified from vulnerability in Note content field - information on the fix can be found here https://github.com/laurent22/joplin/commit/494e235e18659574f836f84fcf9f4d4fcdcfcf89 that can result in executing unauthorized code within the rights in which the application is running. This attack appear to be exploitable via Victim... | Joplin | 6.1 |