{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-38506", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-07-18T16:28:12.077Z", "datePublished": "2024-06-21T19:43:24.161Z", "dateUpdated": "2024-08-02T17:46:55.757Z"}, "containers": {"cna": {"title": "Cross-site Scripting (XSS) when pasting HTML into the rich text editor in Joplin", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/laurent22/joplin/security/advisories/GHSA-m59c-9rrj-c399", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/laurent22/joplin/security/advisories/GHSA-m59c-9rrj-c399"}], "affected": [{"vendor": "laurent22", "product": "joplin", "versions": [{"version": "< 2.12.10", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-06-21T19:43:24.161Z"}, "descriptions": [{"lang": "en", "value": "Joplin is a free, open source note taking and to-do application. A Cross-site Scripting (XSS) vulnerability allows pasting untrusted data into the rich text editor to execute arbitrary code. HTML pasted into the rich text editor is not sanitized (or not sanitized properly). As such, the `onload` attribute of pasted images can execute arbitrary code. Because the TinyMCE editor frame does not use the `sandbox` attribute, such scripts can access NodeJS's `require` through the `top` variable. From this, an attacker can run arbitrary commands. This issue has been addressed in version 2.12.10 and users are advised to upgrade. There are no known workarounds for this vulnerability."}], "source": {"advisory": "GHSA-m59c-9rrj-c399", "discovery": "UNKNOWN"}}, "adp": [{"affected": [{"vendor": "joplin_project", "product": "joplin", "cpes": ["cpe:2.3:a:joplin_project:joplin:0:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "2.12.10", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-06-24T13:57:21.359902Z", "id": "CVE-2023-38506", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-24T14:03:04.363Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T17:46:55.757Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/laurent22/joplin/security/advisories/GHSA-m59c-9rrj-c399", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/laurent22/joplin/security/advisories/GHSA-m59c-9rrj-c399"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/laurent22/joplin/security/advisories/GHSA-m59c-9rrj-c399", "name": "https://github.com/laurent22/joplin/security/advisories/GHSA-m59c-9rrj-c399", "tags": ["x_refsource_CONFIRM", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T17:46:55.757Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-38506", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-06-24T13:57:21.359902Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:joplin_project:joplin:0:*:*:*:*:*:*:*"], "vendor": "joplin_project", "product": "joplin", "versions": [{"status": "affected", "version": "0", "lessThan": "2.12.10", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-24T14:02:46.725Z"}}], "cna": {"title": "Cross-site Scripting (XSS) when pasting HTML into the rich text editor in Joplin", "source": {"advisory": "GHSA-m59c-9rrj-c399", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "laurent22", "product": "joplin", "versions": [{"status": "affected", "version": "< 2.12.10"}]}], "references": [{"url": "https://github.com/laurent22/joplin/security/advisories/GHSA-m59c-9rrj-c399", "name": "https://github.com/laurent22/joplin/security/advisories/GHSA-m59c-9rrj-c399", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Joplin is a free, open source note taking and to-do application. A Cross-site Scripting (XSS) vulnerability allows pasting untrusted data into the rich text editor to execute arbitrary code. HTML pasted into the rich text editor is not sanitized (or not sanitized properly). As such, the `onload` attribute of pasted images can execute arbitrary code. Because the TinyMCE editor frame does not use the `sandbox` attribute, such scripts can access NodeJS's `require` through the `top` variable. From this, an attacker can run arbitrary commands. This issue has been addressed in version 2.12.10 and users are advised to upgrade. There are no known workarounds for this vulnerability."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-06-21T19:43:24.161Z"}}}, "cveMetadata": {"cveId": "CVE-2023-38506", "state": "PUBLISHED", "dateUpdated": "2024-08-02T17:46:55.757Z", "dateReserved": "2023-07-18T16:28:12.077Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-06-21T19:43:24.161Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:joplin_project:joplin:*:*:*:*:*:-:*:*", "matchCriteriaId": "D3D41104-B079-4E4E-849D-501724590C0E", "versionEndExcluding": "2.12.10", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Joplin is a free, open source note taking and to-do application. A Cross-site Scripting (XSS) vulnerability allows pasting untrusted data into the rich text editor to execute arbitrary code. HTML pasted into the rich text editor is not sanitized (or not sanitized properly). As such, the `onload` attribute of pasted images can execute arbitrary code. Because the TinyMCE editor frame does not use the `sandbox` attribute, such scripts can access NodeJS's `require` through the `top` variable. From this, an attacker can run arbitrary commands. This issue has been addressed in version 2.12.10 and users are advised to upgrade. There are no known workarounds for this vulnerability."}, {"lang": "es", "value": "Joplin es una aplicaci\u00f3n gratuita y de c\u00f3digo abierto para tomar notas y tareas pendientes. Una vulnerabilidad de Cross-Site Scripting (XSS) permite pegar datos que no son de confianza en el editor de texto enriquecido para ejecutar c\u00f3digo arbitrario. El HTML pegado en el editor de texto enriquecido no se sanitiza (o no se sanitiza correctamente). Como tal, el atributo \"onload\" de las im\u00e1genes pegadas puede ejecutar c\u00f3digo arbitrario. Debido a que el marco del editor TinyMCE no utiliza el atributo `sandbox`, dichos scripts pueden acceder al `require` de NodeJS a trav\u00e9s de la variable `top`. A partir de esto, un atacante puede ejecutar comandos arbitrarios. Este problema se solucion\u00f3 en la versi\u00f3n 2.12.10 y se recomienda a los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad."}], "id": "CVE-2023-38506", "lastModified": "2025-04-11T15:17:15.377", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 5.3, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-06-21T20:15:12.003", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/laurent22/joplin/security/advisories/GHSA-m59c-9rrj-c399"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/laurent22/joplin/security/advisories/GHSA-m59c-9rrj-c399"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}