Joplin is a free, open source note taking and to-do application. Joplin fails to take into account that "<" followed by a non letter character will not be considered html. As such it is possible to do an XSS by putting an "illegal" tag within a tag.
References
Link | Resource |
---|---|
https://github.com/laurent22/joplin/commit/b220413a9b5ed55fb1f565ac786a5c231da8bc87 | Patch |
https://github.com/laurent22/joplin/security/advisories/GHSA-g796-3g6g-jmmc | Exploit Vendor Advisory |
Configurations
History
17 Sep 2024, 18:03
Type | Values Removed | Values Added |
---|---|---|
First Time |
Joplin Project joplin
Joplin Project |
|
Summary |
|
|
CPE | cpe:2.3:a:joplin_project:joplin:*:*:*:*:*:-:*:* | |
References | () https://github.com/laurent22/joplin/commit/b220413a9b5ed55fb1f565ac786a5c231da8bc87 - Patch | |
References | () https://github.com/laurent22/joplin/security/advisories/GHSA-g796-3g6g-jmmc - Exploit, Vendor Advisory |
09 Sep 2024, 15:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-09-09 15:15
Updated : 2024-09-17 18:03
NVD link : CVE-2024-40643
Mitre link : CVE-2024-40643
CVE.ORG link : CVE-2024-40643
JSON object : View
Products Affected
joplin_project
- joplin
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')