fkie_cve-2023-37898
Vulnerability from fkie_nvd
Published
2024-06-21 20:15
Modified
2025-04-11 17:19
Severity ?
8.2 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
Joplin is a free, open source note taking and to-do application. A Cross-site Scripting (XSS) vulnerability allows an untrusted note opened in safe mode to execute arbitrary code. `packages/renderer/MarkupToHtml.ts` renders note content in safe mode by surrounding it with <pre> and </pre>, without escaping any interior HTML tags. Thus, an attacker can create a note that closes the opening <pre> tag, then includes HTML that runs JavaScript. Because the rendered markdown iframe has the same origin as the toplevel document and is not sandboxed, any scripts running in the preview iframe can access the top variable and, thus, access the toplevel NodeJS `require` function. `require` can then be used to import modules like fs or child_process and run arbitrary commands. This issue has been addressed in version 2.12.9 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
References
security-advisories@github.comhttps://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#sandboxTechnical Description
security-advisories@github.comhttps://github.com/laurent22/joplin/security/advisories/GHSA-hjmq-3qh4-g2r8Exploit, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#sandboxTechnical Description
af854a3a-2127-422b-91ae-364da2661108https://github.com/laurent22/joplin/security/advisories/GHSA-hjmq-3qh4-g2r8Exploit, Vendor Advisory
Impacted products
Vendor Product Version
joplin_project joplin *


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:joplin_project:joplin:*:*:*:*:*:-:*:*",
              "matchCriteriaId": "70E827D0-C286-4DA5-893E-C7FC1C03FECD",
              "versionEndExcluding": "2.12.9",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Joplin is a free, open source note taking and to-do application. A Cross-site Scripting (XSS) vulnerability allows an untrusted note opened in safe mode to execute arbitrary code. `packages/renderer/MarkupToHtml.ts` renders note content in safe mode by surrounding it with \u003cpre\u003e and \u003c/pre\u003e, without escaping any interior HTML tags. Thus, an attacker can create a note that closes the opening \u003cpre\u003e tag, then includes HTML that runs JavaScript. Because the rendered markdown iframe has the same origin as the toplevel document and is not sandboxed, any scripts running in the preview iframe can access the top variable and, thus, access the toplevel NodeJS `require` function. `require` can then be used to import modules like fs or child_process and run arbitrary commands. This issue has been addressed in version 2.12.9 and all users are advised to upgrade. There are no known workarounds for this vulnerability."
    },
    {
      "lang": "es",
      "value": "Joplin es una aplicaci\u00f3n gratuita y de c\u00f3digo abierto para tomar notas y tareas pendientes. Una vulnerabilidad de Cross-Site Scripting (XSS) permite que una nota que no es de confianza abierta en modo seguro ejecute c\u00f3digo arbitrario. `packages/renderer/MarkupToHtml.ts` muestra el contenido de la nota en modo seguro rode\u00e1ndolo con \u003cpre\u003e y \u003c/pre\u003e, sin escapar de ninguna etiqueta HTML interior. Por lo tanto, un atacante puede crear una nota que cierre la etiqueta \u003cpre\u003e de apertura y luego incluya HTML que ejecute JavaScript. Debido a que el iframe de rebajas renderizado tiene el mismo origen que el documento de nivel superior y no est\u00e1 en un espacio aislado, cualquier script que se ejecute en el iframe de vista previa puede acceder a la variable superior y, por lo tanto, acceder a la funci\u00f3n `require` de NodeJS de nivel superior. Luego, `require` se puede usar para importar m\u00f3dulos como fs o child_process y ejecutar comandos arbitrarios. Este problema se solucion\u00f3 en la versi\u00f3n 2.12.9 y se recomienda a todos los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad.\u003c/pre\u003e"
    }
  ],
  "id": "CVE-2023-37898",
  "lastModified": "2025-04-11T17:19:44.633",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 8.2,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 2.3,
        "impactScore": 5.3,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.3,
        "impactScore": 2.7,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2024-06-21T20:15:11.583",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Technical Description"
      ],
      "url": "https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#sandbox"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/laurent22/joplin/security/advisories/GHSA-hjmq-3qh4-g2r8"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Technical Description"
      ],
      "url": "https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#sandbox"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/laurent22/joplin/security/advisories/GHSA-hjmq-3qh4-g2r8"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.