Description
Joplin version prior to 1.0.90 contains a Cross-site Scripting (XSS) evolving into code execution due to enabled nodeIntegration for that particular BrowserWindow instance where XSS was identified from vulnerability in Note content field - information on the fix can be found here https://github.
Recommendation
Update the joplin package to the latest compatible version. Followings are version details:
- Affected version(s): < 1.0.90
- Patched version(s): 1.0.90
References
Related Issues
- Json2html vulnerable to cross-site scripting - CVE-2018-25053
- metascraper before v5.2.0 vulnerable to stored cross-site scripting - CVE-2018-3773
- Joplin Desktop App vulnerable to Cross-site Scripting - CVE-2022-45598
- Joplin vulnerable to Cross-site Scripting in notes - CVE-2021-37916
- Tags:
- npm
- joplin
Anything's wrong? Let us know Last updated on April 23, 2024