CVE-2024-55630: DOM Clobbering leads to temporary DOS in the note viewer in Joplin
Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. Joplin's HTML sanitizer allows the `name` attribute to be specified. If `name` is set to the same value as an existing `document` property (e.g. `querySelector`), that property is replaced with the element. This vulnerability's only known impact is denial of service. The note viewer fails to refresh until closed and re-opened with a different note. This issue has been addressed in version 3.2.8 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
Affected Software
Remediation
Event History
Frequently Asked Questions
What is the severity of CVE-2024-55630?
CVE-2024-55630 has been rated with a moderate severity level due to its potential for creating DOM clobbering vulnerabilities.
How do I fix CVE-2024-55630?
To fix CVE-2024-55630, update Joplin to the latest version beyond 3.2.8 where the vulnerability has been addressed.
What software is affected by CVE-2024-55630?
CVE-2024-55630 affects Joplin versions up to and including 3.2.8.
What type of vulnerability is CVE-2024-55630?
CVE-2024-55630 is primarily a DOM clobbering vulnerability that arises from improper handling of the HTML sanitizer.
Who can be impacted by CVE-2024-55630?
Users of Joplin who utilize the HTML sanitizer functionality may be impacted by CVE-2024-55630.