CVE-2023-37898

Опубликовано: 21 июн. 2024

Источник: nvd

CVSS3: 8.2

CVSS3: 5.4

EPSS Низкий

Описание

Joplin is a free, open source note taking and to-do application. A Cross-site Scripting (XSS) vulnerability allows an untrusted note opened in safe mode to execute arbitrary code. packages/renderer/MarkupToHtml.ts renders note content in safe mode by surrounding it with

Загрузка...

, without escaping any interior HTML tags. Thus, an attacker can create a note that closes the opening

Загрузка...

Ссылки

https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#sandbox
Technical Description
https://github.com/laurent22/joplin/security/advisories/GHSA-hjmq-3qh4-g2r8
Exploit
Vendor Advisory
https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#sandbox
Technical Description
https://github.com/laurent22/joplin/security/advisories/GHSA-hjmq-3qh4-g2r8
Exploit
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:joplin_project:joplin:*:*:*:*:*:-:*:*

Версия до 2.12.9 (исключая)

EPSS

Процентиль: 66%

0.0051

Низкий

8.2 High

CVSS3

5.4 Medium

CVSS3

Дефекты

CWE-79

Связанные уязвимости

CVE-2023-37898

CVSS3: 8.2

debian

больше 1 года назад

Joplin is a free, open source note taking and to-do application. A Cro ...

EPSS

Процентиль: 66%

0.0051

Низкий

8.2 High

CVSS3

5.4 Medium

CVSS3

Дефекты

CWE-79