Cross-site Scripting in Joplin

Description

An XSS issue in Joplin desktop allows arbitrary code execution via a malicious HTML embed tag.

Recommendation

Update the joplin package to the latest compatible version. Followings are version details:

• Affected version(s): >= 1.0.190, < 1.1.7
• Patched version(s): 1.1.7

References

• GHSA-cgc7-mwp4-3ccx
• packetstormsecurity.com
• CVE-2020-15930
• CWE-79
• CAPEC-310
• OWASP 2021-A3
• OWASP 2021-A6

Related Issues

• Cross-site scripting in Joplin - joplin - CVE-2020-28249
• Cross-site Scripting in Joplin - joplin - GHSA-6r7x-hc8m-985r - CVE-2020-9038
• Cross-site scripting in SocksJS-node - CVE-2020-8823
• Cross-site Scripting in reveal.js - reveal.js - CVE-2020-8127

You might also like:

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:

npm

joplin