CVE-2018-1000534

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2018-1000534
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-1000534.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2018-1000534
Aliases
Published
2018-06-26T16:29:01.947Z
Modified
2026-04-10T04:03:30.022499Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

Joplin version prior to 1.0.90 contains a XSS evolving into code execution due to enabled nodeIntegration for that particular BrowserWindow instance where XSS was identified from vulnerability in Note content field - information on the fix can be found here https://github.com/laurent22/joplin/commit/494e235e18659574f836f84fcf9f4d4fcdcfcf89 that can result in executing unauthorized code within the rights in which the application is running. This attack appear to be exploitable via Victim synchronizing notes from the cloud services or other note-keeping services which contain malicious code. This vulnerability appears to have been fixed in 1.0.90 and later.

References

Affected packages

Git / github.com/laurent22/joplin

Affected ranges

Type
GIT
Repo
https://github.com/laurent22/joplin
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
fe2ba34cb4e8b1e1b72f223e45059a539fc4c64a
Fixed
494e235e18659574f836f84fcf9f4d4fcdcfcf89
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.0.90"
        }
    ]
}

Affected versions

android-v0.*
android-v0.10.61
android-v0.10.62
android-v0.10.65
android-v0.10.69
android-v0.10.71
android-v0.10.83
android-v0.10.85
android-v0.10.86
android-v0.10.88
android-v0.10.89
android-v0.10.90
android-v0.10.91
android-v0.10.92
android-v1.*
android-v1.0.100
android-v1.0.101
android-v1.0.102
android-v1.0.103
android-v1.0.115
android-v1.0.116
android-v1.0.118
android-v1.0.119
android-v1.0.120
android-v1.0.122
android-v1.0.123
android-v1.0.94
android-v1.0.95
android-v1.0.97
android-v1.0.98
cli-v0.*
cli-v0.10.86
cli-v0.10.87
cli-v0.10.93
cli-v1.*
cli-v1.0.100
cli-v1.0.106
cli-v1.0.95
cli-v1.0.96
cli-v1.0.97
cli-v1.0.98
cli-v1.0.99
ios-v0.*
ios-v0.10.6
ios-v1.*
ios-v1.0.13
ios-v10.*
ios-v10.0.21
v0.*
v0.10.26
v0.10.27
v0.10.28
v0.10.29
v0.10.30
v0.10.31
v0.10.32
v0.10.33
v0.10.34
v0.10.35
v0.10.36
v0.10.37
v0.10.38
v0.10.41
v0.10.42
v0.10.43
v0.10.55
v0.10.56
v0.10.57
v0.10.58
v0.10.59
v0.10.60
v0.10.61
v1.*
v1.0.62
v1.0.63
v1.0.64
v1.0.66
v1.0.67
v1.0.68
v1.0.69
v1.0.70
v1.0.81
v1.0.82
v1.0.83
v1.0.84
v1.0.85
v1.0.86
v1.0.87
v1.0.88
v1.0.89

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-1000534.json"