Main Vulnerability Database SB20240621120

SB20240621120 - Cross-site scripting in Joplin

Published: June 21, 2024 Updated: May 16, 2026

Security Bulletin ID SB20240621120

CSH Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Cross-site scripting (CVE-ID: CVE-2023-37898)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green

The vulnerability allows a local user to execute arbitrary code.

The vulnerability exists due to cross-site scripting in packages/renderer/MarkupToHtml.ts when rendering an untrusted note in safe mode. A local user can create a specially crafted note to execute arbitrary code.

User interaction is required to open the crafted note, and exploitation relies on the rendered markdown iframe sharing the same origin as the top-level document without sandboxing.

Remediation

Install update from vendor's website.

References

https://github.com/laurent22/joplin/security/advisories/GHSA-hjmq-3qh4-g2r8

SB20240621120 - Cross-site scripting in Joplin

Breakdown by Severity

Description

Remediation

References

Please verify you're human