CVE-2022-40277

HIGH7.8EPSS 0.11%

Joplin Remote Code Execution

Published: 10/1/2022Modified: 4/23/2024

Description

Joplin version 2.8.8 allows an external attacker to execute arbitrary commands remotely on any client that opens a link in a malicious markdown file, via Joplin. This is possible because the application does not properly validate the schema/protocol of existing links in the markdown file before passing them to the `shell.openExternal` function.

Affected packages (1)

npm/joplinfrom 0, <= 2.8.8

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.8	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References (3)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-40277
PATCHhttps://github.com/laurent22/joplin
WEBhttps://fluidattacks.com/advisories/skrillex