CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-37298
https://notcve.org/view.php?id=CVE-2023-37298
Joplin before 2.11.5 allows XSS via a USE element in an SVG document. • https://github.com/laurent22/joplin/commit/caf66068bfc474bbfd505013076ed173cd90ca83 https://github.com/laurent22/joplin/releases/tag/v2.11.5 https://vuln.ryotak.net/advisories/69 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-37299
https://notcve.org/view.php?id=CVE-2023-37299
Joplin before 2.11.5 allows XSS via an AREA element of an image map. • https://github.com/laurent22/joplin/commit/9e90d9016daf79b5414646a93fd369aedb035071 https://github.com/laurent22/joplin/releases/tag/v2.11.5 https://vuln.ryotak.net/advisories/68 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-45598
https://notcve.org/view.php?id=CVE-2022-45598
Cross Site Scripting vulnerability in Joplin Desktop App before v2.9.17 allows attacker to execute arbitrary code via improper santization. Una vulnerabilidad de cross site scripting en la aplicación de escritorio Joplin anterior a v2.9.17 permite a un atacante ejecutar código arbitrario mediante una sanitización inadecuada. • https://github.com/laurent22/joplin/commit/a2de167b95debad83a0f0c7925a88c0198db812e https://github.com/laurent22/joplin/releases/tag/v2.9.17 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 1CVE-2022-40277
https://notcve.org/view.php?id=CVE-2022-40277
Joplin version 2.8.8 allows an external attacker to execute arbitrary commands remotely on any client that opens a link in a malicious markdown file, via Joplin. This is possible because the application does not properly validate the schema/protocol of existing links in the markdown file before passing them to the 'shell.openExternal' function. Joplin versión 2.8.8, permite a un atacante externo ejecutar comandos arbitrarios de forma remota en cualquier cliente que abra un enlace en un archivo markdown malicioso, por medio de Joplin. Esto es posible porque la aplicación no comprueba apropiadamente el esquema/protocolo de los enlaces existentes en el archivo markdown antes de pasarlos a la función "shell.openExternal" • https://fluidattacks.com/advisories/skrillex https://github.com/laurent22/joplin • CWE-20: Improper Input Validation •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2022-35131
https://notcve.org/view.php?id=CVE-2022-35131
Joplin v2.8.8 allows attackers to execute arbitrary commands via a crafted payload injected into the Node titles. Joplin versión v2.8.8, permite a atacantes ejecutar comandos arbitrarios por medio de una carga útil diseñada inyectada en los títulos de Node • https://github.com/ly1g3/Joplin-CVE-2022-35131 http://joplin.com https://github.com/laurent22/joplin/releases/tag/v2.9.1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •