CVE-2023-38506

Joplin is a free, open source note taking and to-do application. A Cross-site Scripting (XSS) vulnerability allows pasting untrusted data into the rich text editor to execute arbitrary code. HTML pasted into the rich text editor is not sanitized (or not sanitized properly). As such, the `onload` attribute of pasted images can execute arbitrary code. Because the TinyMCE editor frame does not use the `sandbox` attribute, such scripts can access NodeJS's `require` through the `top` variable. From this, an attacker can run arbitrary commands. This issue has been addressed in version 2.12.10 and users are advised to upgrade. There are no known workarounds for this vulnerability.

CVSS v3 8.2 HIGH

8.2^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.3 / Impact : 5.3

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact LOW

Availability Impact LOW

Scope CHANGED

References

Link	Resource
https://github.com/laurent22/joplin/security/advisories/GHSA-m59c-9rrj-c399

Configurations

No configuration.

History

No history.

Information

Published : 2024-06-21 20:15

Updated : 2024-06-24 12:57

NVD link : CVE-2023-38506

Mitre link : CVE-2023-38506

CVE.ORG link : CVE-2023-38506

JSON object : View

Products Affected

No product.

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2023-38506", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.3, "exploitabilityScore": 2.3}]}, "published": "2024-06-21T20:15:12.003", "references": [{"url": "https://github.com/laurent22/joplin/security/advisories/GHSA-m59c-9rrj-c399", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Joplin is a free, open source note taking and to-do application. A Cross-site Scripting (XSS) vulnerability allows pasting untrusted data into the rich text editor to execute arbitrary code. HTML pasted into the rich text editor is not sanitized (or not sanitized properly). As such, the `onload` attribute of pasted images can execute arbitrary code. Because the TinyMCE editor frame does not use the `sandbox` attribute, such scripts can access NodeJS's `require` through the `top` variable. From this, an attacker can run arbitrary commands. This issue has been addressed in version 2.12.10 and users are advised to upgrade. There are no known workarounds for this vulnerability."}, {"lang": "es", "value": "Joplin es una aplicaci\u00f3n gratuita y de c\u00f3digo abierto para tomar notas y tareas pendientes. Una vulnerabilidad de Cross-Site Scripting (XSS) permite pegar datos que no son de confianza en el editor de texto enriquecido para ejecutar c\u00f3digo arbitrario. El HTML pegado en el editor de texto enriquecido no se sanitiza (o no se sanitiza correctamente). Como tal, el atributo \"onload\" de las im\u00e1genes pegadas puede ejecutar c\u00f3digo arbitrario. Debido a que el marco del editor TinyMCE no utiliza el atributo `sandbox`, dichos scripts pueden acceder al `require` de NodeJS a trav\u00e9s de la variable `top`. A partir de esto, un atacante puede ejecutar comandos arbitrarios. Este problema se solucion\u00f3 en la versi\u00f3n 2.12.10 y se recomienda a los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad."}], "lastModified": "2024-06-24T12:57:36.513", "sourceIdentifier": "security-advisories@github.com"}