Description
Joplin version prior to 1.0.90 contains a Cross-site Scripting (XSS) evolving into code execution due to enabled nodeIntegration for that particular BrowserWindow instance where XSS was identified from vulnerability in Note content field - information on the fix can be found here https://github.
Recommendation
Update the joplin package to the latest compatible version. Followings are version details:
- Affected version(s): < 1.0.90
- Patched version(s): 1.0.90
References
Related Issues
- Joplin Cross Site Scripting Vulnerability via NOSCRIPT tags - CVE-2021-33295
- Remote Code Execution on click of <a> Link in markdown preview - CVE-2024-49362
- Joplin Remote Code Execution - CVE-2022-40277
- Potential XSS vulnerability in jQuery (GHSA-gxr4-xjj5-5px2) - CVE-2020-11022
- Tags:
- npm
- joplin
Anything's wrong? Let us know Last updated on April 23, 2024