CVE-2022-35131

Severity Score

9.0

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Joplin v2.8.8 allows attackers to execute arbitrary commands via a crafted payload injected into the Node titles.

Joplin versión v2.8.8, permite a atacantes ejecutar comandos arbitrarios por medio de una carga útil diseñada inyectada en los títulos de Node

*Credits: N/A

CVSS Scores

NISTv3.1 9.0

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-07-04 CVE Reserved
2022-07-25 CVE Published
2024-03-15 EPSS Updated
2024-08-03 CVE Updated
2024-08-03 First Exploit
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CAPEC

References (3)

URL	Tag	Source
http://joplin.com	Broken Link
https://github.com/laurent22/joplin/releases/tag/v2.9.1	Release Notes

URL	Date	SRC
https://github.com/ly1g3/Joplin-CVE-2022-35131	2024-08-03

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Joplinapp Search vendor "Joplinapp"		Joplin Search vendor "Joplinapp" for product "Joplin"				2.8.8 Search vendor "Joplinapp" for product "Joplin" and version "2.8.8"		-		Affected