CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 1CVE-2022-40277
https://notcve.org/view.php?id=CVE-2022-40277
30 Sep 2022 — Joplin version 2.8.8 allows an external attacker to execute arbitrary commands remotely on any client that opens a link in a malicious markdown file, via Joplin. This is possible because the application does not properly validate the schema/protocol of existing links in the markdown file before passing them to the 'shell.openExternal' function. Joplin versión 2.8.8, permite a un atacante externo ejecutar comandos arbitrarios de forma remota en cualquier cliente que abra un enlace en un archivo markdown mali... • https://fluidattacks.com/advisories/skrillex • CWE-20: Improper Input Validation •
CVSS: 9.0EPSS: 12%CPEs: 1EXPL: 1CVE-2022-35131
https://notcve.org/view.php?id=CVE-2022-35131
25 Jul 2022 — Joplin v2.8.8 allows attackers to execute arbitrary commands via a crafted payload injected into the Node titles. Joplin versión v2.8.8, permite a atacantes ejecutar comandos arbitrarios por medio de una carga útil diseñada inyectada en los títulos de Node • https://github.com/ly1g3/Joplin-CVE-2022-35131 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-23431 – Cross-site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2021-23431
24 Aug 2021 — The package joplin before 2.3.2 are vulnerable to Cross-site Request Forgery (CSRF) due to missing CSRF checks in various forms. El paquete joplin versiones anteriores a 2.3.2, es vulnerable a un ataque de tipo Cross-site Request Forgery (CSRF) debido a que faltan comprobaciones de tipo CSRF en varios formularios. • https://github.com/laurent22/joplin/commit/19b45de2981c09f6f387498ef96d32b4811eba5e • CWE-352: Cross-Site Request Forgery (CSRF) •