Joplin is a free, open source note taking and to-do application. Joplin fails to take into account that "<" followed by a non letter character will not be considered html. As such it is possible to do an XSS by putting an "illegal" tag within a tag.
History

Tue, 17 Sep 2024 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Joplin Project
Joplin Project joplin
CPEs cpe:2.3:a:joplin_project:joplin:*:*:*:*:*:-:*:*
Vendors & Products Joplin Project
Joplin Project joplin

Mon, 09 Sep 2024 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Joplinapp
Joplinapp joplin
CPEs cpe:2.3:a:joplinapp:joplin:*:*:*:*:*:node.js:*:*
Vendors & Products Joplinapp
Joplinapp joplin
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 09 Sep 2024 14:45:00 +0000

Type Values Removed Values Added
Description Joplin is a free, open source note taking and to-do application. Joplin fails to take into account that "<" followed by a non letter character will not be considered html. As such it is possible to do an XSS by putting an "illegal" tag within a tag.
Title Joplin has a parsing error leading to Cross-site Scripting (XSS)
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 9.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-09-09T14:28:20.920Z

Updated: 2024-09-09T14:52:47.111Z

Reserved: 2024-07-08T16:13:15.512Z

Link: CVE-2024-40643

cve-icon Vulnrichment

Updated: 2024-09-09T14:52:37.602Z

cve-icon NVD

Status : Analyzed

Published: 2024-09-09T15:15:11.597

Modified: 2024-09-17T18:03:05.080

Link: CVE-2024-40643

cve-icon Redhat

No data.