Vulnerability Description
Joplin is a free, open source note taking and to-do application. A remote code execution (RCE) vulnerability in affected versions allows clicking on a link in a PDF in an untrusted note to execute arbitrary shell commands. Clicking links in PDFs allows for arbitrary code execution because Joplin desktop: 1. has not disabled top redirection for note viewer iframes, and 2. and has node integration enabled. This is a remote code execution vulnerability that impacts anyone who attaches untrusted PDFs to notes and has the icon enabled. This issue has been addressed in version 2.13.3. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Joplin Project | Joplin | < 2.13.3 |
Related Weaknesses (CWE)
References
- https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#sandboxTechnical Description
- https://github.com/laurent22/joplin/security/advisories/GHSA-g8qx-5vcm-3x59ExploitVendor Advisory
- https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#sandboxTechnical Description
- https://github.com/laurent22/joplin/security/advisories/GHSA-g8qx-5vcm-3x59ExploitVendor Advisory
FAQ
What is CVE-2023-45673?
CVE-2023-45673 is a vulnerability with a CVSS score of 8.9 (HIGH). Joplin is a free, open source note taking and to-do application. A remote code execution (RCE) vulnerability in affected versions allows clicking on a link in a PDF in an untrusted note to execute arb...
How severe is CVE-2023-45673?
CVE-2023-45673 has been rated HIGH with a CVSS base score of 8.9/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-45673?
Check the references section above for vendor advisories and patch information. Affected products include: Joplin Project Joplin.