Cross-site scripting in Joplin - CVE-2024-49362

CSH
CYBERSECURITY HELP
Sign In REGISTER
 
Main Vulnerability Database Vulnerabilities #VU131600

Cross-site scripting in Joplin - CVE-2024-49362

Published: November 14, 2024 / Updated: May 16, 2026


Vulnerability identifier: #VU131600
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green
CVE-ID: CVE-2024-49362
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Joplinapp
Affected software:
Joplin

Detailed vulnerability description

The vulnerability allows a local privileged user to execute arbitrary script code in the markdown preview context.

The vulnerability exists due to cross-site scripting in the markdown preview link handling when rendering crafted markdown content. A local privileged user can create specially crafted markdown content to execute arbitrary script code in the markdown preview context.

User interaction is required to open or render the crafted markdown content.


How to mitigate CVE-2024-49362

Install security update from vendor's website.

Sources