Product:

Joplin

(Joplin_project)
Repositories https://github.com/laurent22/joplin
#Vulnerabilities 16
Date Id Summary Products Score Patch Annotated
2023-01-31 CVE-2022-45598 Cross Site Scripting vulnerability in Joplin Desktop App before v2.9.17 allows attacker to execute arbitrary code via improper santization. Joplin 6.1
2023-06-30 CVE-2023-37298 Joplin before 2.11.5 allows XSS via a USE element in an SVG document. Joplin 6.1
2023-06-30 CVE-2023-37299 Joplin before 2.11.5 allows XSS via an AREA element of an image map. Joplin 6.1
2024-06-21 CVE-2023-39517 Joplin is a free, open source note taking and to-do application. A Cross site scripting (XSS) vulnerability in affected versions allows clicking on an untrusted image link to execute arbitrary shell commands. The HTML sanitizer (`packages/renderer/htmlUtils.ts::sanitizeHtml`) preserves `<map>` `<area>` links. However, unlike `<a>` links, the `target` and `href` attributes are not removed. Additionally, because the note preview pane isn't sandboxed to prevent top navigation, links with... Joplin 5.4
2024-09-09 CVE-2024-40643 Joplin is a free, open source note taking and to-do application. Joplin fails to take into account that "<" followed by a non letter character will not be considered html. As such it is possible to do an XSS by putting an "illegal" tag within a tag. Joplin 9.6
2018-06-26 CVE-2018-1000534 Joplin version prior to 1.0.90 contains a XSS evolving into code execution due to enabled nodeIntegration for that particular BrowserWindow instance where XSS was identified from vulnerability in Note content field - information on the fix can be found here https://github.com/laurent22/joplin/commit/494e235e18659574f836f84fcf9f4d4fcdcfcf89 that can result in executing unauthorized code within the rights in which the application is running. This attack appear to be exploitable via Victim... Joplin 6.1