CVE-2025-24028

Cross-site Scripting (XSS) in Rich Text Editor allows arbitrary code execution in Joplin

Severity Score

7.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. This vulnerability is caused by differences between how Joplin's HTML sanitizer handles comments and how the browser handles comments. This affects both the Rich Text Editor and the Markdown viewer. However, unlike the Rich Text Editor, the Markdown viewer is `cross-origin isolated`, which prevents JavaScript from directly accessing functions/variables in the toplevel Joplin `window`. This issue is not present in Joplin 3.1.24 and may have been introduced in `9b50539`. This is an XSS vulnerability that impacts users that open untrusted notes in the Rich Text Editor. This vulnerability has been addressed in version 3.2.12 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

Low

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

Poc

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2025-01-16 CVE Reserved
2025-02-07 CVE Published
2025-02-08 EPSS Updated
2025-02-10 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CAPEC

References (4)

URL	Tag	Source
https://github.com/laurent22/joplin/commit/2a058ed8097c2502e152b26394dc1917897f5817	X_refsource_misc
https://github.com/laurent22/joplin/commit/9b505395918bc923f34fe6f3b960bb10e8cf234e	X_refsource_misc
https://github.com/laurent22/joplin/security/advisories/GHSA-5w3c-wph9-hq92	X_refsource_confirm
https://joplinapp.org/help/dev/spec/note_viewer_isolation	X_refsource_misc

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Laurent22 Search vendor "Laurent22"		Joplin Search vendor "Laurent22" for product "Joplin"				>= 3.2.6 < 3.2.12 Search vendor "Laurent22" for product "Joplin" and version " >= 3.2.6 < 3.2.12"		en		Affected