CVE-2023-38506 – Cross-site Scripting (XSS) when pasting HTML into the rich text editor in Joplin
https://notcve.org/view.php?id=CVE-2023-38506
A Cross-site Scripting (XSS) vulnerability allows pasting untrusted data into the rich text editor to execute arbitrary code. ... As such, the `onload` attribute of pasted images can execute arbitrary code. • https://github.com/laurent22/joplin/security/advisories/GHSA-m59c-9rrj-c399 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2023-45673 – Arbitrary code execution on click of PDF links in Joplin
https://notcve.org/view.php?id=CVE-2023-45673
A remote code execution (RCE) vulnerability in affected versions allows clicking on a link in a PDF in an untrusted note to execute arbitrary shell commands. Clicking links in PDFs allows for arbitrary code execution because Joplin desktop: 1. has not disabled top redirection for note viewer iframes, and 2. and has node integration enabled. This is a remote code execution vulnerability that impacts anyone who attaches untrusted PDFs to notes and has the icon enabled. ... Una vulnerabilidad de ejecución remota de código (RCE) en las versiones afectadas permite hacer clic en un enlace en un PDF en una nota que no es de confianza para ejecutar comandos de shell arbitrarios. • https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#sandbox https://github.com/laurent22/joplin/security/advisories/GHSA-g8qx-5vcm-3x59 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2024-2003 – Local Privilege Escalation in Quarantine of ESET products for Windows
https://notcve.org/view.php?id=CVE-2024-2003
An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. • https://support.eset.com/ca8674 • CWE-269: Improper Privilege Management •
CVE-2024-23962 – Alpine Halo9 Missing Authentication Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2024-23962
This vulnerability allows remote attackers to disclose sensitive information on affected installations of Alpine Halo9 devices. ... An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the device. •
CVE-2024-6248 – Wyze Cam v3 Cloud Infrastructure Improper Authentication Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2024-6248
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Wyze Cam v3 IP cameras. ... An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root. •