CVE-2024-49362

Joplin is a free, open source note taking and to-do application. Joplin-desktop has a vulnerability that leads to remote code execution (RCE) when a user clicks on an <a> link within untrusted notes. The issue arises due to insufficient sanitization of <a> tag attributes introduced by the Mermaid. This vulnerability allows the execution of untrusted HTML content within the Electron window, which has full access to Node.js APIs, enabling arbitrary shell command execution.

CVSS v3 7.7 HIGH

7.7^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.1 / Impact : 6.0

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required HIGH

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact LOW

Scope CHANGED

References

Link	Resource
https://github.com/laurent22/joplin/security/advisories/GHSA-hff8-hjwv-j9q7	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:joplin_project:joplin:*:*:*:*:*:-:*:*

History

07 May 2025, 14:10

Type	Values Removed	Values Added
References	~~() https://github.com/laurent22/joplin/security/advisories/GHSA-hff8-hjwv-j9q7 -~~	() https://github.com/laurent22/joplin/security/advisories/GHSA-hff8-hjwv-j9q7 - Exploit, Vendor Advisory
First Time		Joplin Project joplin Joplin Project
CWE		CWE-79
CPE		cpe:2.3:a:joplin_project:joplin::::::-::*

Information

Published : 2024-11-14 18:15

Updated : 2025-05-07 14:10

NVD link : CVE-2024-49362

Mitre link : CVE-2024-49362

CVE.ORG link : CVE-2024-49362

JSON object : View

Products Affected

joplin_project

joplin

CWE

CWE-94

Improper Control of Generation of Code ('Code Injection')

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2024-49362", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 1.1}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.6, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 2.8}]}, "published": "2024-11-14T18:15:19.243", "references": [{"url": "https://github.com/laurent22/joplin/security/advisories/GHSA-hff8-hjwv-j9q7", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-94"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Joplin is a free, open source note taking and to-do application. Joplin-desktop has a vulnerability that leads to remote code execution (RCE) when a user clicks on an <a> link within untrusted notes. The issue arises due to insufficient sanitization of <a> tag attributes introduced by the Mermaid. This vulnerability allows the execution of untrusted HTML content within the Electron window, which has full access to Node.js APIs, enabling arbitrary shell command execution."}, {"lang": "es", "value": "Joplin es una aplicaci\u00f3n de c\u00f3digo abierto y gratuita para tomar notas y realizar tareas pendientes. Joplin-desktop tiene una vulnerabilidad que provoca la ejecuci\u00f3n remota de c\u00f3digo (RCE) cuando un usuario hace clic en un enlace <a rel=\"nofollow\"> dentro de notas que no son de confianza. El problema surge debido a una limpieza insuficiente de los atributos de la etiqueta </a><a rel=\"nofollow\"> introducidos por Mermaid. Esta vulnerabilidad permite la ejecuci\u00f3n de contenido HTML no confiable dentro de la ventana Electron, que tiene acceso completo a las API de Node.js, lo que permite la ejecuci\u00f3n arbitraria de comandos de shell.</a>"}], "lastModified": "2025-05-07T14:10:19.787", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:joplin_project:joplin:*:*:*:*:*:-:*:*", "vulnerable": true, "matchCriteriaId": "072181DD-7C0E-4B22-AC35-B7C25CC53219", "versionEndExcluding": "3.1"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}