Description
Joplin version 2.8.8 allows an external attacker to execute arbitrary commands remotely on any client that opens a link in a malicious markdown file, via Joplin. This is possible because the application does not properly validate the schema/protocol of existing links in the markdown file before passing them to the shell.openExternal function.
Recommendation
No fix is available yet. Followings are affected versions:
- <= 2.8.8
References
Related Issues
- Prototype Pollution in lodash - CVE-2018-3721
- Stored XSS in Jupyter nbdime - CVE-2021-41134
- Cross-site Scripting in quill - CVE-2021-3163
- Prototype Pollution in async - CVE-2021-43138
- Tags:
- npm
- joplin
Anything's wrong? Let us know Last updated on April 23, 2024