In the dynamic realm of cybersecurity, staying updated on the latest vulnerabilities is imperative.
This edition of the AppSecWorld's CVE Daily Digest provides a snapshot of the vulnerabilities published in National Vulnerability Database between June 21-22, 2024.
During this period, The National Vulnerability Database published 150, and these new Common Vulnerabilities and Exposures (CVEs) are classified as follows:
Critical: 5
High: 14
Medium: 48
Low: 2
Severity Not Assigned: 81
Identifying and understanding these vulnerabilities are pivotal steps towards enhancing security measures and creating a safer digital environment.
Now, let's delve deeper into AppSecWorld's CVE Daily Digest, spotlighting the Critical and High Severity vulnerabilities that demand immediate attention.
1. CVE-2024-6213
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.4
Description: A vulnerability was found in SourceCodester Food Ordering Management System up to 1.0. It has been classified as critical. This affects an unknown part of the file login.php of the component Login Panel. The manipulation of the argument username leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-269277 was assigned to this vulnerability.
References: https://github.com/jadu101/CVE/blob/main/SourceCodester_Food_Ordering_Management_System_Sqli.md
https://vuldb.com/?ctiid.269277
https://vuldb.com/?id.269277
https://vuldb.com/?submit.359574
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
2. CVE-2024-5503
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The WP Blog Post Layouts plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.1.3. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary PHP files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
References: https://plugins.trac.wordpress.org/browser/wp-blog-post-layouts/trunk/includes/gutenberg.php#L883
https://plugins.trac.wordpress.org/browser/wp-blog-post-layouts/trunk/includes/gutenberg.php#L900
https://plugins.trac.wordpress.org/browser/wp-blog-post-layouts/trunk/includes/gutenberg.php#L917
https://plugins.trac.wordpress.org/browser/wp-blog-post-layouts/trunk/includes/src/grid/element.php#L1146
https://plugins.trac.wordpress.org/browser/wp-blog-post-layouts/trunk/includes/src/list/element.php#L1136
https://plugins.trac.wordpress.org/browser/wp-blog-post-layouts/trunk/includes/src/masonry/element.php#L1134
https://www.wordfence.com/threat-intel/vulnerabilities/id/5205cc95-06d1-4bc6-a9ea-082df9566935?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
3. CVE-2024-6218
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.4
Description: A vulnerability, which was classified as critical, has been found in itsourcecode Vehicle Management System 1.0. Affected by this issue is some unknown functionality of the file busprofile.php. The manipulation of the argument busid leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-269282 is the identifier assigned to this vulnerability.
References: https://github.com/HryspaHodor/CVE/issues/7
https://vuldb.com/?ctiid.269282
https://vuldb.com/?id.269282
https://vuldb.com/?submit.360697
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
4. CVE-2024-5455
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The Plus Addons for Elementor Page Builder plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 5.5.4 via the 'magazine_style' parameter within the Dynamic Smart Showcase widget. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
References: https://roadmap.theplusaddons.com/updates/
https://www.wordfence.com/threat-intel/vulnerabilities/id/8699142d-4ddd-4ca1-9886-9b2d905a36cd?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
5. CVE-2024-5756
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: The Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce plugin for WordPress is vulnerable to time-based SQL Injection via the db parameter in all versions up to, and including, 5.7.23 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
References: https://plugins.trac.wordpress.org/browser/email-subscribers/trunk/lite/includes/db/class-es-db-contacts.php#L532
https://plugins.trac.wordpress.org/changeset/3101638/email-subscribers/trunk/lite/includes/db/class-es-db-contacts.php
https://www.wordfence.com/threat-intel/vulnerabilities/id/c5bd11c6-2f55-4eee-834a-c4e405482b9c?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
6. CVE-2024-2003
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 1.3
Impact Score: 5.9
Description: Local privilege escalation vulnerability allowed an attacker to misuse ESET's file operations during a restore operation from quarantine.
References: https://support.eset.com/ca8674
CWE-ID: CWE-269
Common Platform Enumerations (CPE): Not Found
7. CVE-2024-31890
Base Score: 7.8
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.9
Description: IBM i 7.3, 7.4, and 7.5 product IBM TCP/IP Connectivity Utilities for i contains a local privilege escalation vulnerability. A malicious actor with command line access to the host operating system can elevate privileges to gain root access to the host operating system. IBM X-Force ID: 288171.
References: https://exchange.xforce.ibmcloud.com/vulnerabilities/288171
https://www.ibm.com/support/pages/node/7158240
CWE-ID: CWE-250
Common Platform Enumerations (CPE): Not Found
8. CVE-2024-6027
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: The Themify – WooCommerce Product Filter plugin for WordPress is vulnerable to time-based SQL Injection via the ‘conditions’ parameter in all versions up to, and including, 1.4.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
References: https://plugins.trac.wordpress.org/browser/themify-wc-product-filter/trunk/public/class-wpf-public.php#L604
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3104239%40themify-wc-product-filter%2Ftrunk&old=3100861%40themify-wc-product-filter%2Ftrunk&sfp_email=&sfph_mail=#file2
https://themify.org/changelogs/themify-wc-product-filter.txt
https://www.wordfence.com/threat-intel/vulnerabilities/id/451db756-9d62-4c8e-b735-e5e5207b81e3?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
9. CVE-2024-35766
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in ollybach WPPizza allows Reflected XSS.This issue affects WPPizza: from n/a through 3.18.13.
References: https://patchstack.com/database/vulnerability/wppizza/wordpress-wppizza-a-restaurant-plugin-plugin-3-18-13-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
10. CVE-2022-43453
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: Missing Authorization vulnerability in Bill Minozzi WP Tools.This issue affects WP Tools: from n/a through 3.41.
References: https://patchstack.com/database/vulnerability/wptools/wordpress-wp-tools-plugin-2-51-3-41-auth-broken-access-control-vulnerability?_s_id=cve
CWE-ID: CWE-862
Common Platform Enumerations (CPE): Not Found
11. CVE-2024-37212
Base Score: 8.3
Base Severity: HIGH
Exploitability Score: 1.6
Impact Score: 6.0
Description: Cross-Site Request Forgery (CSRF) vulnerability in Ali2Woo Ali2Woo Lite.This issue affects Ali2Woo Lite: from n/a through 3.3.5.
References: https://patchstack.com/database/vulnerability/ali2woo-lite/wordpress-aliexpress-dropshipping-with-alinext-lite-plugin-3-3-5-csrf-to-php-object-injection-vulnerability?_s_id=cve
CWE-ID: CWE-352
Common Platform Enumerations (CPE): Not Found
12. CVE-2024-6240
Base Score: 7.7
Base Severity: HIGH
Exploitability Score: 1.3
Impact Score: 5.8
Description: Improper privilege management vulnerability in Parallels Desktop Software, which affects versions earlier than 19.3.0. An attacker could add malicious code in a script and populate the BASH_ENV environment variable with the path to the malicious script, executing on application startup. An attacker could exploit this vulnerability to escalate privileges on the system.
References: https://www.incibe.es/en/incibe-cert/notices/aviso/improper-privilege-management-vulnerability-parallels-desktop
CWE-ID: CWE-269
Common Platform Enumerations (CPE): Not Found
13. CVE-2023-38389
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: Incorrect Authorization vulnerability in Artbees JupiterX Core allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects JupiterX Core: from n/a through 3.3.8.
References: https://patchstack.com/database/vulnerability/jupiterx-core/wordpress-jupiter-x-core-plugin-3-3-0-unauthenticated-account-takeover-vulnerability?_s_id=cve
CWE-ID: CWE-863
Common Platform Enumerations (CPE): Not Found
14. CVE-2024-35767
Base Score: 9.1
Base Severity: CRITICAL
Exploitability Score: 2.3
Impact Score: 6.0
Description: Unrestricted Upload of File with Dangerous Type vulnerability in Bogdan Bendziukov Squeeze allows Code Injection.This issue affects Squeeze: from n/a through 1.4.
References: https://patchstack.com/database/vulnerability/squeeze/wordpress-squeeze-plugin-1-4-arbitrary-file-upload-vulnerability?_s_id=cve
CWE-ID: CWE-434
Common Platform Enumerations (CPE): Not Found
15. CVE-2020-27352
Base Score: 9.3
Base Severity: CRITICAL
Exploitability Score: 2.5
Impact Score: 6.0
Description: When generating the systemd service units for the docker snap (and other similar snaps), snapd does not specify Delegate=yes - as a result systemd will move processes from the containers created and managed by these snaps into the cgroup of the main daemon within the snap itself when reloading system units. This may grant additional privileges to a container within the snap that were not originally intended.
References: https://bugs.launchpad.net/snapd/+bug/1910456
https://ubuntu.com/security/notices/USN-4728-1
https://www.cve.org/CVERecord?id=CVE-2020-27352
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
16. CVE-2023-37898
Base Score: 8.2
Base Severity: HIGH
Exploitability Score: 2.3
Impact Score: 5.3
Description: Joplin is a free, open source note taking and to-do application. A Cross-site Scripting (XSS) vulnerability allows an untrusted note opened in safe mode to execute arbitrary code. `packages/renderer/MarkupToHtml.ts` renders note content in safe mode by surrounding it with
This edition of the AppSecWorld's CVE Daily Digest provides a snapshot of the vulnerabilities published in National Vulnerability Database between June 21-22, 2024.
During this period, The National Vulnerability Database published 150, and these new Common Vulnerabilities and Exposures (CVEs) are classified as follows:
Critical: 5
High: 14
Medium: 48
Low: 2
Severity Not Assigned: 81
Identifying and understanding these vulnerabilities are pivotal steps towards enhancing security measures and creating a safer digital environment.
Now, let's delve deeper into AppSecWorld's CVE Daily Digest, spotlighting the Critical and High Severity vulnerabilities that demand immediate attention.
1. CVE-2024-6213
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.4
Description: A vulnerability was found in SourceCodester Food Ordering Management System up to 1.0. It has been classified as critical. This affects an unknown part of the file login.php of the component Login Panel. The manipulation of the argument username leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-269277 was assigned to this vulnerability.
References: https://github.com/jadu101/CVE/blob/main/SourceCodester_Food_Ordering_Management_System_Sqli.md
https://vuldb.com/?ctiid.269277
https://vuldb.com/?id.269277
https://vuldb.com/?submit.359574
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
2. CVE-2024-5503
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The WP Blog Post Layouts plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.1.3. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary PHP files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
References: https://plugins.trac.wordpress.org/browser/wp-blog-post-layouts/trunk/includes/gutenberg.php#L883
https://plugins.trac.wordpress.org/browser/wp-blog-post-layouts/trunk/includes/gutenberg.php#L900
https://plugins.trac.wordpress.org/browser/wp-blog-post-layouts/trunk/includes/gutenberg.php#L917
https://plugins.trac.wordpress.org/browser/wp-blog-post-layouts/trunk/includes/src/grid/element.php#L1146
https://plugins.trac.wordpress.org/browser/wp-blog-post-layouts/trunk/includes/src/list/element.php#L1136
https://plugins.trac.wordpress.org/browser/wp-blog-post-layouts/trunk/includes/src/masonry/element.php#L1134
https://www.wordfence.com/threat-intel/vulnerabilities/id/5205cc95-06d1-4bc6-a9ea-082df9566935?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
3. CVE-2024-6218
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.4
Description: A vulnerability, which was classified as critical, has been found in itsourcecode Vehicle Management System 1.0. Affected by this issue is some unknown functionality of the file busprofile.php. The manipulation of the argument busid leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-269282 is the identifier assigned to this vulnerability.
References: https://github.com/HryspaHodor/CVE/issues/7
https://vuldb.com/?ctiid.269282
https://vuldb.com/?id.269282
https://vuldb.com/?submit.360697
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
4. CVE-2024-5455
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The Plus Addons for Elementor Page Builder plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 5.5.4 via the 'magazine_style' parameter within the Dynamic Smart Showcase widget. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
References: https://roadmap.theplusaddons.com/updates/
https://www.wordfence.com/threat-intel/vulnerabilities/id/8699142d-4ddd-4ca1-9886-9b2d905a36cd?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
5. CVE-2024-5756
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: The Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce plugin for WordPress is vulnerable to time-based SQL Injection via the db parameter in all versions up to, and including, 5.7.23 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
References: https://plugins.trac.wordpress.org/browser/email-subscribers/trunk/lite/includes/db/class-es-db-contacts.php#L532
https://plugins.trac.wordpress.org/changeset/3101638/email-subscribers/trunk/lite/includes/db/class-es-db-contacts.php
https://www.wordfence.com/threat-intel/vulnerabilities/id/c5bd11c6-2f55-4eee-834a-c4e405482b9c?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
6. CVE-2024-2003
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 1.3
Impact Score: 5.9
Description: Local privilege escalation vulnerability allowed an attacker to misuse ESET's file operations during a restore operation from quarantine.
References: https://support.eset.com/ca8674
CWE-ID: CWE-269
Common Platform Enumerations (CPE): Not Found
7. CVE-2024-31890
Base Score: 7.8
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.9
Description: IBM i 7.3, 7.4, and 7.5 product IBM TCP/IP Connectivity Utilities for i contains a local privilege escalation vulnerability. A malicious actor with command line access to the host operating system can elevate privileges to gain root access to the host operating system. IBM X-Force ID: 288171.
References: https://exchange.xforce.ibmcloud.com/vulnerabilities/288171
https://www.ibm.com/support/pages/node/7158240
CWE-ID: CWE-250
Common Platform Enumerations (CPE): Not Found
8. CVE-2024-6027
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: The Themify – WooCommerce Product Filter plugin for WordPress is vulnerable to time-based SQL Injection via the ‘conditions’ parameter in all versions up to, and including, 1.4.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
References: https://plugins.trac.wordpress.org/browser/themify-wc-product-filter/trunk/public/class-wpf-public.php#L604
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3104239%40themify-wc-product-filter%2Ftrunk&old=3100861%40themify-wc-product-filter%2Ftrunk&sfp_email=&sfph_mail=#file2
https://themify.org/changelogs/themify-wc-product-filter.txt
https://www.wordfence.com/threat-intel/vulnerabilities/id/451db756-9d62-4c8e-b735-e5e5207b81e3?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
9. CVE-2024-35766
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in ollybach WPPizza allows Reflected XSS.This issue affects WPPizza: from n/a through 3.18.13.
References: https://patchstack.com/database/vulnerability/wppizza/wordpress-wppizza-a-restaurant-plugin-plugin-3-18-13-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
10. CVE-2022-43453
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: Missing Authorization vulnerability in Bill Minozzi WP Tools.This issue affects WP Tools: from n/a through 3.41.
References: https://patchstack.com/database/vulnerability/wptools/wordpress-wp-tools-plugin-2-51-3-41-auth-broken-access-control-vulnerability?_s_id=cve
CWE-ID: CWE-862
Common Platform Enumerations (CPE): Not Found
11. CVE-2024-37212
Base Score: 8.3
Base Severity: HIGH
Exploitability Score: 1.6
Impact Score: 6.0
Description: Cross-Site Request Forgery (CSRF) vulnerability in Ali2Woo Ali2Woo Lite.This issue affects Ali2Woo Lite: from n/a through 3.3.5.
References: https://patchstack.com/database/vulnerability/ali2woo-lite/wordpress-aliexpress-dropshipping-with-alinext-lite-plugin-3-3-5-csrf-to-php-object-injection-vulnerability?_s_id=cve
CWE-ID: CWE-352
Common Platform Enumerations (CPE): Not Found
12. CVE-2024-6240
Base Score: 7.7
Base Severity: HIGH
Exploitability Score: 1.3
Impact Score: 5.8
Description: Improper privilege management vulnerability in Parallels Desktop Software, which affects versions earlier than 19.3.0. An attacker could add malicious code in a script and populate the BASH_ENV environment variable with the path to the malicious script, executing on application startup. An attacker could exploit this vulnerability to escalate privileges on the system.
References: https://www.incibe.es/en/incibe-cert/notices/aviso/improper-privilege-management-vulnerability-parallels-desktop
CWE-ID: CWE-269
Common Platform Enumerations (CPE): Not Found
13. CVE-2023-38389
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: Incorrect Authorization vulnerability in Artbees JupiterX Core allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects JupiterX Core: from n/a through 3.3.8.
References: https://patchstack.com/database/vulnerability/jupiterx-core/wordpress-jupiter-x-core-plugin-3-3-0-unauthenticated-account-takeover-vulnerability?_s_id=cve
CWE-ID: CWE-863
Common Platform Enumerations (CPE): Not Found
14. CVE-2024-35767
Base Score: 9.1
Base Severity: CRITICAL
Exploitability Score: 2.3
Impact Score: 6.0
Description: Unrestricted Upload of File with Dangerous Type vulnerability in Bogdan Bendziukov Squeeze allows Code Injection.This issue affects Squeeze: from n/a through 1.4.
References: https://patchstack.com/database/vulnerability/squeeze/wordpress-squeeze-plugin-1-4-arbitrary-file-upload-vulnerability?_s_id=cve
CWE-ID: CWE-434
Common Platform Enumerations (CPE): Not Found
15. CVE-2020-27352
Base Score: 9.3
Base Severity: CRITICAL
Exploitability Score: 2.5
Impact Score: 6.0
Description: When generating the systemd service units for the docker snap (and other similar snaps), snapd does not specify Delegate=yes - as a result systemd will move processes from the containers created and managed by these snaps into the cgroup of the main daemon within the snap itself when reloading system units. This may grant additional privileges to a container within the snap that were not originally intended.
References: https://bugs.launchpad.net/snapd/+bug/1910456
https://ubuntu.com/security/notices/USN-4728-1
https://www.cve.org/CVERecord?id=CVE-2020-27352
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
16. CVE-2023-37898
Base Score: 8.2
Base Severity: HIGH
Exploitability Score: 2.3
Impact Score: 5.3
Description: Joplin is a free, open source note taking and to-do application. A Cross-site Scripting (XSS) vulnerability allows an untrusted note opened in safe mode to execute arbitrary code. `packages/renderer/MarkupToHtml.ts` renders note content in safe mode by surrounding it with
and, without escaping any interior HTML tags. Thus, an attacker can create a note that closes the opening
tag, then includes HTML that runs JavaScript. Because the rendered markdown iframe has the same origin as the toplevel document and is not sandboxed, any scripts running in the preview iframe can access the top variable and, thus, access the toplevel NodeJS `require` function. `require` can then be used to import modules like fs or child_process and run arbitrary commands. This issue has been addressed in version 2.12.9 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
References: https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#sandbox
https://github.com/laurent22/joplin/security/advisories/GHSA-hjmq-3qh4-g2r8
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
17. CVE-2023-38506
Base Score: 8.2
Base Severity: HIGH
Exploitability Score: 2.3
Impact Score: 5.3
Description: Joplin is a free, open source note taking and to-do application. A Cross-site Scripting (XSS) vulnerability allows pasting untrusted data into the rich text editor to execute arbitrary code. HTML pasted into the rich text editor is not sanitized (or not sanitized properly). As such, the `onload` attribute of pasted images can execute arbitrary code. Because the TinyMCE editor frame does not use the `sandbox` attribute, such scripts can access NodeJS's `require` through the `top` variable. From this, an attacker can run arbitrary commands. This issue has been addressed in version 2.12.10 and users are advised to upgrade. There are no known workarounds for this vulnerability.
References: https://github.com/laurent22/joplin/security/advisories/GHSA-m59c-9rrj-c399
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
18. CVE-2023-39517
Base Score: 8.2
Base Severity: HIGH
Exploitability Score: 2.3
Impact Score: 5.3
Description: Joplin is a free, open source note taking and to-do application. A Cross site scripting (XSS) vulnerability in affected versions allows clicking on an untrusted image link to execute arbitrary shell commands. The HTML sanitizer (`packages/renderer/htmlUtils.ts::sanitizeHtml`) preserves `