What is CVE-2024-49362?

Joplin is a free, open source note taking and to-do application. Joplin-desktop has a vulnerability that leads to remote code execution (RCE) when a user clicks on an link within untrusted notes. The issue arises due to insufficient sanitization of tag attributes introduced by the Mermaid. This vulnerability allows the execution of untrusted HTML content within the Electron window, which has full access to Node.js APIs, enabling arbitrary shell command execution.

How severe is CVE-2024-49362?

This vulnerability has a severity rating of CRITICAL with a CVSS score of 9.6 out of 10.

What type of vulnerability is CVE-2024-49362?

This is classified as CWE-94, which is a common weakness in software security.

CVE-2024-49362

CRITICAL Year: 2024

CVSS v3 Score

9.6

Critical

Weakness Type

CWE-94

View all →

Vulnerability Description

Joplin is a free, open source note taking and to-do application. Joplin-desktop has a vulnerability that leads to remote code execution (RCE) when a user clicks on an <a> link within untrusted notes. The issue arises due to insufficient sanitization of <a> tag attributes introduced by the Mermaid. This vulnerability allows the execution of untrusted HTML content within the Electron window, which has full access to Node.js APIs, enabling arbitrary shell command execution.

CVE-2022-1575

CRITICAL

CVSS:9.6(Critical)

Arbitrary Code Execution through Sanitizer Bypass in GitHub repository jgraph/drawio prior to 18.0.0. - Arbitrary (remote) code execution in the desktop app. - Stored XSS in the web app.

CWE-942022

CVE-2022-2014

CRITICAL

CVSS:9.6(Critical)

Code Injection in GitHub repository jgraph/drawio prior to 19.0.2.

CWE-942022

CVE-2024-41961

CRITICAL

CVSS:9.6(Critical)

Elektra is an opinionated Openstack Dashboard for Operators and Consumers of Openstack Services. A code injection vulnerability was found in the live search functionality of the Ruby on Rails based El...

CWE-942024

CVE-2024-7345

CRITICAL

CVSS:9.6(Critical)

Local ABL Client bypass of the required PASOE security checks may allow an attacker to commit unauthorized code injection into Multi-Session Agents on supported OpenEdge LTS platforms up to OpenEdge L...

CWE-942024

CVE-2024-0917

CRITICAL

CVSS:9.4(Critical)

remote code execution in paddlepaddle/paddle 2.6.0

CWE-942024

CVE-2024-28253

CRITICAL

CVSS:9.4(Critical)

OpenMetadata is a unified platform for discovery, observability, and governance powered by a central metadata repository, in-depth lineage, and seamless team collaboration. `CompiledRule::validateExpr...

CWE-942024

CVE-2024-49362

Vulnerability Description

Related Vulnerabilities

CVE-2022-1575

CVE-2022-2014

CVE-2024-41961

CVE-2024-7345

CVE-2024-0917

CVE-2024-28253