CVE-2023-45673 – Arbitrary code execution on click of PDF links in Joplin

https://notcve.org/view.php?id=CVE-2023-45673

Joplin is a free, open source note taking and to-do application. A remote code execution (RCE) vulnerability in affected versions allows clicking on a link in a PDF in an untrusted note to execute arbitrary shell commands. Clicking links in PDFs allows for arbitrary code execution because Joplin desktop: 1. has not disabled top redirection for note viewer iframes, and 2. and has node integration enabled. This is a remote code execution vulnerability that impacts anyone who attaches untrusted PDFs to notes and has the icon enabled. This issue has been addressed in version 2.13.3. • https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#sandbox https://github.com/laurent22/joplin/security/advisories/GHSA-g8qx-5vcm-3x59 • CWE-94: Improper Control of Generation of Code ('Code Injection') •