I'm opening this issue for future disclosure regarding the vulnerability reported via e-mail.
Nowasky
All 8 comments
Thanks, the fix will be in next release
laurent22
on 23 Jul 2020
FYI I've found two other vulnerabilities and reported them via e-mail.
Nowasky
on 29 Jul 2020
Any updates on whatever this may be? I’m curious because been having some problems with malware on my phone+desktops and I noticed in the logs for the mobile app, it mentioned “Saving updated dropbox auth” when I hadn’t updated anything in dropbox or Joplin’s connection to it since over a week ago...
jdnixx
on 8 Aug 2020
Fixed in d209d5036b71ea1608473accd7f27decf739ab41
laurent22
on 10 Aug 2020
Fixed in d209d50
This does not fix the reported vulnerability. Joplin v1.0.233 is still vulnerable to CVE-2020-15930.
Nowasky
on 10 Aug 2020
Was this fixed or wasn't? I find disturbing that the dev didn't respond after the last comment whether to clarify that this has indeed been fixed or to follow up the problem.
parasiteoflife
on 9 Sep 2020
CVE-2020-15930
Description: An XSS issue in Joplin for desktop v1.0.190 to v1.0.245 allows arbitrary code execution via a malicious HTML embed tag.
HTML embed tags are rendered in Joplin. This can be used to open a child window through window.open() that will have node integration enabled. This leads to arbitrary code execution on the victim system.
If Joplin API is enabled, Remote Code Execution with user interaction is possible by abusing the lack of required authentication in Joplin 'POST /notes' api endpoint to remotely deploy the payload into the victim application.
The vulnerability was fixed in v1.1.4 by disallowing the embed tag.
Nowasky
on 25 Sep 2020
Thanks for the update @Nowasky
laurent22
on 27 Sep 2020
Related issues
yschutz
·
3Comments
Dharmesh-Poddar
·
3Comments
laurent22
·
3Comments
kopfuss
·
3Comments
Rahulm2310
·
3Comments
Most helpful comment
CVE-2020-15930
Description: An XSS issue in Joplin for desktop v1.0.190 to v1.0.245 allows arbitrary code execution via a malicious HTML embed tag.
HTML embed tags are rendered in Joplin. This can be used to open a child window through window.open() that will have node integration enabled. This leads to arbitrary code execution on the victim system.
If Joplin API is enabled, Remote Code Execution with user interaction is possible by abusing the lack of required authentication in Joplin 'POST /notes' api endpoint to remotely deploy the payload into the victim application.
The vulnerability was fixed in v1.1.4 by disallowing the embed tag.