Joplin HTML Sanitizer Comment Handling Vulnerability Leading to Cross-Site Scripting

A cross-site scripting (XSS) vulnerability has been identified in Joplin, a note-taking application, specifically in versions 3.2.6 through 3.2.11. This vulnerability arises from a discrepancy between Joplin's HTML sanitizer and how browsers process comments, affecting both the Rich Text Editor and the Markdown viewer. However, the Markdown viewer's cross-origin isolation prevents direct access to the Joplin window, a vulnerability that allows arbitrary code execution from the Rich Text Editor. The issue was not present in Joplin 3.1.24 and may have been introduced in a previous version.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where an attacker can execute arbitrary code in the context of the user.

Reproduction

To reproduce this vulnerability, create a note in the Rich Text Editor with specific Markdown that includes comments and an image tag with an 'onerror' attribute. After saving the note, switch back to the Rich Text Editor, where the injected script will execute, demonstrating the XSS vulnerability.

Remediation

Users are advised to upgrade to Joplin version 3.2.12 or later, where this vulnerability has been addressed.