npm package
joplin
pkg:npm/joplin
Vulnerabilities (14)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-49362 | — | >= 3.0.0, < 3.1.0 | 3.1.0 | Nov 14, 2024 | Joplin is a free, open source note taking and to-do application. Joplin-desktop has a vulnerability that leads to remote code execution (RCE) when a user clicks on an link within untrusted notes. The issue arises due to insufficient sanitization of tag attributes introduc | ||
| CVE-2023-37299 | — | < 2.11.5 | 2.11.5 | Jun 30, 2023 | Joplin before 2.11.5 allows XSS via an AREA element of an image map. | ||
| CVE-2023-37298 | — | < 2.11.5 | 2.11.5 | Jun 30, 2023 | Joplin before 2.11.5 allows XSS via a USE element in an SVG document. | ||
| CVE-2022-45598 | — | < 2.9.17 | 2.9.17 | Jan 31, 2023 | Cross Site Scripting vulnerability in Joplin Desktop App before v2.9.17 allows attacker to execute arbitrary code via improper santization. | ||
| CVE-2022-40277 | — | <= 2.8.8 | — | Sep 30, 2022 | Joplin version 2.8.8 allows an external attacker to execute arbitrary commands remotely on any client that opens a link in a malicious markdown file, via Joplin. This is possible because the application does not properly validate the schema/protocol of existing links in the markd | ||
| CVE-2022-35131 | — | < 2.9.1 | 2.9.1 | Jul 25, 2022 | Joplin v2.8.8 allows attackers to execute arbitrary commands via a crafted payload injected into the Node titles. | ||
| CVE-2021-33295 | — | < 1.8.5 | 1.8.5 | Jun 16, 2022 | Cross Site Scripting (XSS) vulnerability in Joplin Desktop App before 1.8.5 allows attackers to execute aribrary code due to improper sanitizing of html. | ||
| CVE-2022-23340 | — | < 2.7.1 | 2.7.1 | Feb 8, 2022 | Joplin 2.6.10 allows remote attackers to execute system commands through malicious code in user search results. | ||
| CVE-2021-23431 | — | < 2.3.2 | 2.3.2 | Aug 24, 2021 | The package joplin before 2.3.2 are vulnerable to Cross-site Request Forgery (CSRF) due to missing CSRF checks in various forms. | ||
| CVE-2021-37916 | — | < 2.0.9 | 2.0.9 | Aug 2, 2021 | Joplin before 2.0.9 allows XSS via button and form in the note body. | ||
| CVE-2020-28249 | — | < 1.3.11 | 1.3.11 | Nov 6, 2020 | Joplin 1.2.6 for Desktop allows XSS via a LINK element in a note. | ||
| CVE-2020-15930 | — | >= 1.0.190, < 1.1.7 | 1.1.7 | Sep 24, 2020 | An XSS issue in Joplin desktop 1.0.190 to 1.0.245 allows arbitrary code execution via a malicious HTML embed tag. | ||
| CVE-2020-9038 | — | < 1.2.1 | 1.2.1 | Feb 17, 2020 | Joplin through 1.0.184 allows Arbitrary File Read via XSS. | ||
| CVE-2018-1000534 | — | < 1.0.90 | 1.0.90 | Jun 26, 2018 | Joplin version prior to 1.0.90 contains a XSS evolving into code execution due to enabled nodeIntegration for that particular BrowserWindow instance where XSS was identified from vulnerability in Note content field - information on the fix can be found here https://github.com/lau |
- CVE-2024-49362Nov 14, 2024affected >= 3.0.0, < 3.1.0fixed 3.1.0
Joplin is a free, open source note taking and to-do application. Joplin-desktop has a vulnerability that leads to remote code execution (RCE) when a user clicks on an link within untrusted notes. The issue arises due to insufficient sanitization of tag attributes introduc
- CVE-2023-37299Jun 30, 2023affected < 2.11.5fixed 2.11.5
Joplin before 2.11.5 allows XSS via an AREA element of an image map.
- CVE-2023-37298Jun 30, 2023affected < 2.11.5fixed 2.11.5
Joplin before 2.11.5 allows XSS via a USE element in an SVG document.
- CVE-2022-45598Jan 31, 2023affected < 2.9.17fixed 2.9.17
Cross Site Scripting vulnerability in Joplin Desktop App before v2.9.17 allows attacker to execute arbitrary code via improper santization.
- CVE-2022-40277Sep 30, 2022affected <= 2.8.8
Joplin version 2.8.8 allows an external attacker to execute arbitrary commands remotely on any client that opens a link in a malicious markdown file, via Joplin. This is possible because the application does not properly validate the schema/protocol of existing links in the markd
- CVE-2022-35131Jul 25, 2022affected < 2.9.1fixed 2.9.1
Joplin v2.8.8 allows attackers to execute arbitrary commands via a crafted payload injected into the Node titles.
- CVE-2021-33295Jun 16, 2022affected < 1.8.5fixed 1.8.5
Cross Site Scripting (XSS) vulnerability in Joplin Desktop App before 1.8.5 allows attackers to execute aribrary code due to improper sanitizing of html.
- CVE-2022-23340Feb 8, 2022affected < 2.7.1fixed 2.7.1
Joplin 2.6.10 allows remote attackers to execute system commands through malicious code in user search results.
- CVE-2021-23431Aug 24, 2021affected < 2.3.2fixed 2.3.2
The package joplin before 2.3.2 are vulnerable to Cross-site Request Forgery (CSRF) due to missing CSRF checks in various forms.
- CVE-2021-37916Aug 2, 2021affected < 2.0.9fixed 2.0.9
Joplin before 2.0.9 allows XSS via button and form in the note body.
- CVE-2020-28249Nov 6, 2020affected < 1.3.11fixed 1.3.11
Joplin 1.2.6 for Desktop allows XSS via a LINK element in a note.
- CVE-2020-15930Sep 24, 2020affected >= 1.0.190, < 1.1.7fixed 1.1.7
An XSS issue in Joplin desktop 1.0.190 to 1.0.245 allows arbitrary code execution via a malicious HTML embed tag.
- CVE-2020-9038Feb 17, 2020affected < 1.2.1fixed 1.2.1
Joplin through 1.0.184 allows Arbitrary File Read via XSS.
- CVE-2018-1000534Jun 26, 2018affected < 1.0.90fixed 1.0.90
Joplin version prior to 1.0.90 contains a XSS evolving into code execution due to enabled nodeIntegration for that particular BrowserWindow instance where XSS was identified from vulnerability in Note content field - information on the fix can be found here https://github.com/lau