CVE-2023-38506: Cross-site Scripting (XSS) when pasting HTML into the rich text editor in Joplin
Joplin is a free, open source note taking and to-do application. A Cross-site Scripting (XSS) vulnerability allows pasting untrusted data into the rich text editor to execute arbitrary code. HTML pasted into the rich text editor is not sanitized (or not sanitized properly). As such, the `onload` attribute of pasted images can execute arbitrary code. Because the TinyMCE editor frame does not use the `sandbox` attribute, such scripts can access NodeJS's `require` through the `top` variable. From this, an attacker can run arbitrary commands. This issue has been addressed in version 2.12.10 and users are advised to upgrade. There are no known workarounds for this vulnerability.
Affected Software
Event History
Frequently Asked Questions
What is the severity of CVE-2023-38506?
CVE-2023-38506 has been rated as a high severity vulnerability due to its potential to execute arbitrary code via Cross-site Scripting.
How do I fix CVE-2023-38506?
To fix CVE-2023-38506, update Joplin to version 2.12.10 or later, which includes proper sanitization of HTML input in the rich text editor.
What is the impact of CVE-2023-38506?
The impact of CVE-2023-38506 allows an attacker to execute arbitrary code in the context of the user who pastes untrusted HTML content into the rich text editor.
Which versions of Joplin are affected by CVE-2023-38506?
CVE-2023-38506 affects Joplin versions up to exclusive 2.12.10.
What kind of vulnerability is CVE-2023-38506?
CVE-2023-38506 is a Cross-site Scripting (XSS) vulnerability that arises from improper sanitization of user input.