CVE-2024-49362 Vulnerability Details

  /     /     /  

CVE-2024-49362 Metadata Quick Info

CVE Published: 14/11/2024 | CVE Updated: 14/11/2024 | CVE Year: 2024
Source: GitHub_M | Vendor: laurent22 | Product: joplin
Status : PUBLISHED

---

CVE-2024-49362 Description

Joplin is a free, open source note taking and to-do application. Joplin-desktop has a vulnerability that leads to remote code execution (RCE) when a user clicks on an link within untrusted notes. The issue arises due to insufficient sanitization of tag attributes introduced by the Mermaid. This vulnerability allows the execution of untrusted HTML content within the Electron window, which has full access to Node.js APIs, enabling arbitrary shell command execution.

Metrics

CVSS Version: 3.1 | Base Score: 7.7 HIGH
Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:L

l➤ Exploitability Metrics:
    Attack Vector (AV)* LOCAL
    Attack Complexity (AC)* LOW
    Privileges Required (PR)* HIGH
    User Interaction (UI)* REQUIRED
    Scope (S)* CHANGED

l➤ Impact Metrics:
    Confidentiality Impact (C)* HIGH
    Integrity Impact (I)* HIGH
    Availability Impact (A)* LOW

Weakness Enumeration (CWE)

CWE-ID: CWE-94
CWE Name: CWE-94: Improper Control of Generation of Code ( Code Injection )
Source: laurent22

Common Attack Pattern Enumeration and Classification (CAPEC)

CAPEC-ID:
CAPEC Description:


Source: NVD (National Vulnerability Database).