Cross-site scripting in Joplin (GHSA-q26w-wjj2-22vv)

Description

Joplin allows XSS via a LINK element in a note.

Recommendation

Update the joplin package to the latest compatible version. Followings are version details:

• Affected version(s): < 1.3.11
• Patched version(s): 1.3.11

References

• GHSA-q26w-wjj2-22vv
• www.npmjs.com
• CVE-2020-28249
• CWE-79
• CAPEC-310
• OWASP 2021-A3
• OWASP 2021-A6

Related Issues

• Cross-site Scripting in Joplin (GHSA-6r7x-hc8m-985r) - CVE-2020-9038
• Cross-Site Scripting in Prism (GHSA-wvhm-4hhf-97x9) - CVE-2020-15138
• Cross-site Scripting in dompurify (GHSA-63q7-h895-m982) - CVE-2020-26870
• Cross-site Scripting in reveal.js (GHSA-6vwx-mwp8-fh44) - CVE-2020-8127

Tags:

npm

joplin