-
-
Notifications
You must be signed in to change notification settings - Fork 5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security Vulnerability #3552
Comments
Thanks, the fix will be in next release |
FYI I've found two other vulnerabilities and reported them via e-mail. |
Any updates on whatever this may be? I’m curious because been having some problems with malware on my phone+desktops and I noticed in the logs for the mobile app, it mentioned “Saving updated dropbox auth” when I hadn’t updated anything in dropbox or Joplin’s connection to it since over a week ago... |
Fixed in d209d50 |
This does not fix the reported vulnerability. Joplin v1.0.233 is still vulnerable to CVE-2020-15930. |
Was this fixed or wasn't? I find disturbing that the dev didn't respond after the last comment whether to clarify that this has indeed been fixed or to follow up the problem. |
CVE-2020-15930 HTML embed tags are rendered in Joplin. This can be used to open a child window through window.open() that will have node integration enabled. This leads to arbitrary code execution on the victim system. If Joplin API is enabled, Remote Code Execution with user interaction is possible by abusing the lack of required authentication in Joplin 'POST /notes' api endpoint to remotely deploy the payload into the victim application. The vulnerability was fixed in v1.1.4 by disallowing the embed tag. |
Thanks for the update @Nowasky |
I'm opening this issue for future disclosure regarding the vulnerability reported via e-mail.
The text was updated successfully, but these errors were encountered: