CVE-2024-49362

Joplin is a free, open source note taking and to-do application. Joplin-desktop has a vulnerability that leads to remote code execution (RCE) when a user clicks on an <a> link within untrusted notes. The issue arises due to insufficient sanitization of <a> tag attributes introduced by the Mermaid. This vulnerability allows the execution of untrusted HTML content within the Electron window, which has full access to Node.js APIs, enabling arbitrary shell command execution.

CVSS v3 7.7 HIGH

7.7^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.1 / Impact : 6.0

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required HIGH

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact LOW

Scope CHANGED

References

Link	Resource
https://github.com/laurent22/joplin/security/advisories/GHSA-hff8-hjwv-j9q7

Configurations

No configuration.

History

15 Nov 2024, 13:58

Type	Values Removed	Values Added
Summary		(es) Joplin es una aplicación de código abierto y gratuita para tomar notas y realizar tareas pendientes. Joplin-desktop tiene una vulnerabilidad que provoca la ejecución remota de código (RCE) cuando un usuario hace clic en un enlace <a rel="nofollow"> dentro de notas que no son de confianza. El problema surge debido a una limpieza insuficiente de los atributos de la etiqueta </a><a rel="nofollow"> introducidos por Mermaid. Esta vulnerabilidad permite la ejecución de contenido HTML no confiable dentro de la ventana Electron, que tiene acceso completo a las API de Node.js, lo que permite la ejecución arbitraria de comandos de shell.</a>

14 Nov 2024, 18:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-11-14 18:15

Updated : 2024-11-15 13:58

NVD link : CVE-2024-49362

Mitre link : CVE-2024-49362

CVE.ORG link : CVE-2024-49362

JSON object : View

Products Affected

No product.

CWE

CWE-94

Improper Control of Generation of Code ('Code Injection')

7.7 /10