CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2021-33295
https://notcve.org/view.php?id=CVE-2021-33295
Cross Site Scripting (XSS) vulnerability in Joplin Desktop App before 1.8.5 allows attackers to execute aribrary code due to improper sanitizing of html. Una vulnerabilidad de tipo Cross Site Scripting (XSS) en Joplin Desktop App versiones anteriores a 1.8.5, permite a atacantes ejecutar código arbitrario debido a un saneo inapropiado del html • https://github.com/laurent22/joplin/commit/9c20d5947d1fa4678a8b640792ff3d31224f0adf https://github.com/laurent22/joplin/releases/tag/v1.8.5 https://the-it-wonders.blogspot.com/2021/05/joplin-app-desktop-version-vulnerable.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-23431 – Cross-site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2021-23431
The package joplin before 2.3.2 are vulnerable to Cross-site Request Forgery (CSRF) due to missing CSRF checks in various forms. El paquete joplin versiones anteriores a 2.3.2, es vulnerable a un ataque de tipo Cross-site Request Forgery (CSRF) debido a que faltan comprobaciones de tipo CSRF en varios formularios. • https://github.com/laurent22/joplin/commit/19b45de2981c09f6f387498ef96d32b4811eba5e https://snyk.io/vuln/SNYK-JS-JOPLIN-1325537 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2021-37916
https://notcve.org/view.php?id=CVE-2021-37916
Joplin before 2.0.9 allows XSS via button and form in the note body. Joplin versiones anteriores a 2.0.9, permite un ataque XSS por medio del button y form en el cuerpo de la nota • https://github.com/laurent22/joplin/commit/feaecf765368f2c273bea3a9fa641ff0da7e6b26 https://github.com/laurent22/joplin/releases/tag/v2.0.9 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2CVE-2020-28249 – Joplin 1.2.6 - 'link' Cross Site Scripting
https://notcve.org/view.php?id=CVE-2020-28249
Joplin 1.2.6 for Desktop allows XSS via a LINK element in a note. Joplin versión 1.2.6 para Desktop, permite un ataque de tipo XSS por medio de un elemento LINK en una nota • https://www.exploit-db.com/exploits/49024 https://github.com/fhlip0/JopinXSS https://github.com/laurent22/joplin/releases • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2CVE-2020-15930 – Joplin 1.0.245 - Arbitrary Code Execution (PoC)
https://notcve.org/view.php?id=CVE-2020-15930
An XSS issue in Joplin desktop 1.0.190 to 1.0.245 allows arbitrary code execution via a malicious HTML embed tag. Un problema de tipo XSS en Joplin Desktop versiones 1.0.190 hasta 1.0.245, permite una ejecución de código arbitrario por medio de una etiqueta de inserción HTML maliciosa. Joplin version 1.0.245 suffers from a cross site scripting vulnerability that can lead to allowing for remote code execution. • https://www.exploit-db.com/exploits/48837 http://packetstormsecurity.com/files/159316/Joplin-1.0.245-Cross-Site-Scripting-Code-Execution.html https://github.com/laurent22/joplin/issues/3552 https://github.com/laurent22/joplin/releases/tag/v1.1.4 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •