Moderate severityNVD Advisory· Published Jun 30, 2023· Updated Nov 27, 2024

CVE-2023-37299

Description

Joplin before 2.11.5 allows XSS via an AREA element of an image map.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Joplin before 2.11.5 allows stored XSS via an AREA element in an HTML image map, enabling arbitrary JavaScript execution.

Vulnerability

Description

Joplin versions prior to 2.11.5 are vulnerable to cross-site scripting (XSS) through the use of an AREA element within an HTML image map. The application failed to sanitize the href attribute of AREA elements, allowing an attacker to inject malicious javascript: URLs. This bypassed the existing URL validation that was previously applied only to ` tags, leaving the AREA` element unchecked [1][2][4].

Exploitation

To exploit this vulnerability, an attacker can craft a note containing a ` element with an tag that has a href attribute set to a javascript:` URI. When the note is viewed, clicking on the defined image map area will execute the attacker's JavaScript in the context of the Joplin application. No authentication is required beyond having the ability to share or sync notes with a victim, and exploitation can occur through imported notes or direct editing [3][4].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript within the Joplin application's window. Due to Node.js integration, this can lead to remote code execution (as demonstrated with child_process.execSync), potentially compromising the entire system. The vulnerability is particularly severe in Joplin's desktop versions where Node.js APIs are accessible [4].

Mitigation

The vulnerability is patched in Joplin version 2.11.5. The fix extends the URL sanitization to all tags with href attributes, covering AREA elements [3]. Users are strongly advised to update immediately. No workarounds are available for earlier versions.

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
joplinnpm	< 2.11.5	2.11.5

Affected products

Joplin/Joplindescription
ghsa-coords
pkg:npm/joplin
Range: < 2.11.5

Patches

9e90d9016daf

All: Security: Prevent XSS by sanitizing certain HTML attributes

https://github.com/laurent22/joplinLaurent CozicMay 19, 2023via ghsa

commit

4 files changed · +14 −12

packages/app-cli/tests/md_to_html/sanitize_15.html+1 −1 modified

@@ -1 +1 @@
-<use href="data:image/svg+xml,&lt;svg id=&apos;x&apos; xmlns=&apos;http://www.w3.org/2000/svg&apos;&gt;&lt;image href=&apos;asdf&apos; onerror=&apos;top.require(`child_process`).execSync(`calc.exe`)&apos; /&gt;&lt;/svg&gt;#x" class="jop-noMdConv">
\ No newline at end of file
+<use href="#" class="jop-noMdConv">
\ No newline at end of file

packages/app-cli/tests/md_to_html/sanitize_16.html+1 −0 added

@@ -0,0 +1 @@
+<map name="test" class="jop-noMdConv"><area coords="0,0,1000,1000" href="#" class="jop-noMdConv"/></map><img usemap="#test" src="https://github.com/Ry0taK.png" class="jop-noMdConv"/>
\ No newline at end of file

packages/app-cli/tests/md_to_html/sanitize_16.md+1 −0 added

@@ -0,0 +1 @@
+<map name="test"><area coords="0,0,1000,1000" href="javascript:top.require(`child_process`).execSync(`calc.exe`)"></map><img usemap="#test" src="https://github.com/Ry0taK.png">
\ No newline at end of file

packages/renderer/htmlUtils.ts+11 −11 modified

@@ -233,18 +233,18 @@ class HtmlUtils {
 					delete attrs[attrName];
 				}
 
-				if (name === 'a') {
-					// Make sure that only non-acceptable URLs are filtered out.
-					// In particular we want to exclude `javascript:` URLs.
-					if ('href' in attrs && !this.isAcceptedUrl(attrs['href'])) {
-						attrs['href'] = '#';
-					}
+				// Make sure that only non-acceptable URLs are filtered out. In
+				// particular we want to exclude `javascript:` URLs. This
+				// applies to A tags, and also AREA ones but to be safe we don't
+				// filter on the tag name and process all HREF attributes.
+				if ('href' in attrs && !this.isAcceptedUrl(attrs['href'])) {
+					attrs['href'] = '#';
+				}
 
-					// We need to clear any such attribute, otherwise it will
-					// make any arbitrary link open within the application.
-					if ('data-from-md' in attrs) {
-						delete attrs['data-from-md'];
-					}
+				// We need to clear any such attribute, otherwise it will
+				// make any arbitrary link open within the application.
+				if ('data-from-md' in attrs) {
+					delete attrs['data-from-md'];
 				}
 
 				if (options.addNoMdConvClass) {

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-4jjv-p8x9-rrf7ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2023-37299ghsaADVISORY
github.com/laurent22/joplin/commit/9e90d9016daf79b5414646a93fd369aedb035071ghsaWEB
github.com/laurent22/joplin/releases/tag/v2.11.5ghsaWEB
vuln.ryotak.net/advisories/68ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000