Filtered by vendor Joplin Project
Subscriptions
Total
18 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-55630 | 1 Joplin Project | 1 Joplin | 2025-04-18 | 3.3 Low |
| Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. Joplin's HTML sanitizer allows the `name` attribute to be specified. If `name` is set to the same value as an existing `document` property (e.g. `querySelector`), that property is replaced with the element. This vulnerability's only known impact is denial of service. The note viewer fails to refresh until closed and re-opened with a different note. This issue has been addressed in version 3.2.8 and all users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2025-24028 | 1 Joplin Project | 1 Joplin | 2025-04-18 | 7.8 High |
| Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. This vulnerability is caused by differences between how Joplin's HTML sanitizer handles comments and how the browser handles comments. This affects both the Rich Text Editor and the Markdown viewer. However, unlike the Rich Text Editor, the Markdown viewer is `cross-origin isolated`, which prevents JavaScript from directly accessing functions/variables in the toplevel Joplin `window`. This issue is not present in Joplin 3.1.24 and may have been introduced in `9b50539`. This is an XSS vulnerability that impacts users that open untrusted notes in the Rich Text Editor. This vulnerability has been addressed in version 3.2.12 and all users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2025-25187 | 1 Joplin Project | 1 Joplin | 2025-04-11 | 7.8 High |
| Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. This vulnerability is caused by adding note titles to the document using React's `dangerouslySetInnerHTML`, without first escaping HTML entities. Joplin lacks a Content-Security-Policy with a restrictive `script-src`. This allows arbitrary JavaScript execution via inline `onclick`/`onload` event handlers in unsanitized HTML. Additionally, Joplin's main window is created with `nodeIntegration` set to `true`, allowing arbitrary JavaScript execution to result in arbitrary code execution. Anyone who 1) receives notes from unknown sources and 2) uses <kbd>ctrl</kbd>-<kbd>p</kbd> to search is impacted. This issue has been addressed in version 3.1.24 and all users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2023-37898 | 1 Joplin Project | 1 Joplin | 2025-04-11 | 8.2 High |
| Joplin is a free, open source note taking and to-do application. A Cross-site Scripting (XSS) vulnerability allows an untrusted note opened in safe mode to execute arbitrary code. `packages/renderer/MarkupToHtml.ts` renders note content in safe mode by surrounding it with <pre> and </pre>, without escaping any interior HTML tags. Thus, an attacker can create a note that closes the opening <pre> tag, then includes HTML that runs JavaScript. Because the rendered markdown iframe has the same origin as the toplevel document and is not sandboxed, any scripts running in the preview iframe can access the top variable and, thus, access the toplevel NodeJS `require` function. `require` can then be used to import modules like fs or child_process and run arbitrary commands. This issue has been addressed in version 2.12.9 and all users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2023-45673 | 2 Joplin Project, Laurent 22 | 2 Joplin, Joplin | 2025-04-11 | 8.9 High |
| Joplin is a free, open source note taking and to-do application. A remote code execution (RCE) vulnerability in affected versions allows clicking on a link in a PDF in an untrusted note to execute arbitrary shell commands. Clicking links in PDFs allows for arbitrary code execution because Joplin desktop: 1. has not disabled top redirection for note viewer iframes, and 2. and has node integration enabled. This is a remote code execution vulnerability that impacts anyone who attaches untrusted PDFs to notes and has the icon enabled. This issue has been addressed in version 2.13.3. Users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2023-38506 | 1 Joplin Project | 1 Joplin | 2025-04-11 | 8.2 High |
| Joplin is a free, open source note taking and to-do application. A Cross-site Scripting (XSS) vulnerability allows pasting untrusted data into the rich text editor to execute arbitrary code. HTML pasted into the rich text editor is not sanitized (or not sanitized properly). As such, the `onload` attribute of pasted images can execute arbitrary code. Because the TinyMCE editor frame does not use the `sandbox` attribute, such scripts can access NodeJS's `require` through the `top` variable. From this, an attacker can run arbitrary commands. This issue has been addressed in version 2.12.10 and users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2022-45598 | 1 Joplin Project | 1 Joplin | 2025-03-27 | 6.1 Medium |
| Cross Site Scripting vulnerability in Joplin Desktop App before v2.9.17 allows attacker to execute arbitrary code via improper santization. | ||||
| CVE-2023-37298 | 1 Joplin Project | 1 Joplin | 2024-11-27 | 6.1 Medium |
| Joplin before 2.11.5 allows XSS via a USE element in an SVG document. | ||||
| CVE-2023-37299 | 1 Joplin Project | 1 Joplin | 2024-11-27 | 6.1 Medium |
| Joplin before 2.11.5 allows XSS via an AREA element of an image map. | ||||
| CVE-2023-39517 | 1 Joplin Project | 1 Joplin | 2024-11-21 | 8.2 High |
| Joplin is a free, open source note taking and to-do application. A Cross site scripting (XSS) vulnerability in affected versions allows clicking on an untrusted image link to execute arbitrary shell commands. The HTML sanitizer (`packages/renderer/htmlUtils.ts::sanitizeHtml`) preserves `<map>` `<area>` links. However, unlike `<a>` links, the `target` and `href` attributes are not removed. Additionally, because the note preview pane isn't sandboxed to prevent top navigation, links with `target` set to `_top` can replace the toplevel electron page. Because any toplevel electron page, with Joplin's setup, has access to `require` and can require node libraries, a malicious replacement toplevel page can import `child_process` and execute arbitrary shell commands. This issue has been fixed in commit 7c52c3e9a81a52ef1b42a951f9deb9d378d59b0f which is included in release version 2.12.8. Users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2022-23340 | 1 Joplin Project | 1 Joplin | 2024-11-21 | 9.8 Critical |
| Joplin 2.6.10 allows remote attackers to execute system commands through malicious code in user search results. | ||||
| CVE-2021-37916 | 1 Joplin Project | 1 Joplin | 2024-11-21 | 6.1 Medium |
| Joplin before 2.0.9 allows XSS via button and form in the note body. | ||||
| CVE-2021-33295 | 1 Joplin Project | 1 Joplin | 2024-11-21 | 5.4 Medium |
| Cross Site Scripting (XSS) vulnerability in Joplin Desktop App before 1.8.5 allows attackers to execute aribrary code due to improper sanitizing of html. | ||||
| CVE-2020-9038 | 1 Joplin Project | 1 Joplin | 2024-11-21 | 5.4 Medium |
| Joplin through 1.0.184 allows Arbitrary File Read via XSS. | ||||
| CVE-2020-28249 | 1 Joplin Project | 1 Joplin | 2024-11-21 | 6.1 Medium |
| Joplin 1.2.6 for Desktop allows XSS via a LINK element in a note. | ||||
| CVE-2020-15930 | 1 Joplin Project | 1 Joplin | 2024-11-21 | 6.1 Medium |
| An XSS issue in Joplin desktop 1.0.190 to 1.0.245 allows arbitrary code execution via a malicious HTML embed tag. | ||||
| CVE-2018-1000534 | 1 Joplin Project | 1 Joplin | 2024-11-21 | N/A |
| Joplin version prior to 1.0.90 contains a XSS evolving into code execution due to enabled nodeIntegration for that particular BrowserWindow instance where XSS was identified from vulnerability in Note content field - information on the fix can be found here https://github.com/laurent22/joplin/commit/494e235e18659574f836f84fcf9f4d4fcdcfcf89 that can result in executing unauthorized code within the rights in which the application is running. This attack appear to be exploitable via Victim synchronizing notes from the cloud services or other note-keeping services which contain malicious code. This vulnerability appears to have been fixed in 1.0.90 and later. | ||||
| CVE-2024-40643 | 2 Joplin Project, Joplinapp | 2 Joplin, Joplin | 2024-09-17 | 9.7 Critical |
| Joplin is a free, open source note taking and to-do application. Joplin fails to take into account that "<" followed by a non letter character will not be considered html. As such it is possible to do an XSS by putting an "illegal" tag within a tag. | ||||
Page 1 of 1.