CVE-2024-49362

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2024-49362

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-49362.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-49362

Aliases

GHSA-hff8-hjwv-j9q7

Published

2024-11-14T17:37:09.700Z

Modified

2026-04-10T05:17:56.768510Z

Severity

7.7 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:L CVSS Calculator

Summary

Remote Code Execution on click of <a> Link in markdown preview

Details

Joplin is a free, open source note taking and to-do application. Joplin-desktop has a vulnerability that leads to remote code execution (RCE) when a user clicks on an <a> link within untrusted notes. The issue arises due to insufficient sanitization of <a> tag attributes introduced by the Mermaid. This vulnerability allows the execution of untrusted HTML content within the Electron window, which has full access to Node.js APIs, enabling arbitrary shell command execution.

Database specific

{
    "cwe_ids": [
        "CWE-94"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/49xxx/CVE-2024-49362.json",
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git /

Affected ranges

Database specific

unresolved_ranges

[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "fixed": "3.1"
            }
        ]
    }
]

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-49362.json"