Joplin Desktop Cross-Site Scripting Vulnerability Allowing Arbitrary Code Execution

A cross-site scripting (XSS) vulnerability has been identified in Joplin Desktop versions through 3.1.23. This issue arises from the application using React's 'dangerouslySetInnerHTML' to insert note titles into the document without properly escaping HTML entities. The absence of a restrictive Content-Security-Policy allows the execution of arbitrary JavaScript via inline event handlers in unsanitized HTML. Furthermore, with 'nodeIntegration' enabled, this arbitrary JavaScript execution can lead to arbitrary code execution. The vulnerability affects users who receive notes from unknown sources and use 'ctrl+p' to search.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where note titles can execute arbitrary JavaScript. In the context of Joplin's Electron framework, this could lead to arbitrary code execution on the user's machine.

Reproduction

To reproduce this vulnerability, create a note with an unescaped title containing a 'style' tag including an 'onload' event handler, such as one that triggers a JavaScript alert. Then, add a unique word to the note body. When 'ctrl+p' is pressed and the unique word is searched, the 'onload' event will execute, demonstrating the XSS vulnerability.

Remediation

Users are advised to upgrade to Joplin version 3.1.24, where this vulnerability has been patched.