CVE-2024-40643

Joplin is a free, open source note taking and to-do application. Joplin fails to take into account that "<" followed by a non letter character will not be considered html. As such it is possible to do an XSS by putting an "illegal" tag within a tag.
Configurations

Configuration 1 (hide)

cpe:2.3:a:joplin_project:joplin:*:*:*:*:*:-:*:*

History

17 Sep 2024, 18:03

Type Values Removed Values Added
First Time Joplin Project joplin
Joplin Project
Summary
  • (es) Joplin es una aplicación de código abierto y gratuita para tomar notas y realizar tareas pendientes. Joplin no tiene en cuenta que un "&lt;" seguido de un carácter que no sea una letra no se considerará HTML. Por lo tanto, es posible realizar un XSS colocando una etiqueta "ilegal" dentro de otra etiqueta.
CPE cpe:2.3:a:joplin_project:joplin:*:*:*:*:*:-:*:*
References () https://github.com/laurent22/joplin/commit/b220413a9b5ed55fb1f565ac786a5c231da8bc87 - () https://github.com/laurent22/joplin/commit/b220413a9b5ed55fb1f565ac786a5c231da8bc87 - Patch
References () https://github.com/laurent22/joplin/security/advisories/GHSA-g796-3g6g-jmmc - () https://github.com/laurent22/joplin/security/advisories/GHSA-g796-3g6g-jmmc - Exploit, Vendor Advisory

09 Sep 2024, 15:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-09-09 15:15

Updated : 2024-09-17 18:03


NVD link : CVE-2024-40643

Mitre link : CVE-2024-40643

CVE.ORG link : CVE-2024-40643


JSON object : View

Products Affected

joplin_project

  • joplin
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')