Remote Code Execution vulnerability #6004
Comments
|
When you create an issue on github, one of the options shows how to submit a potential vulnerability rather than opening a ticket. |
|
this is a serious security vulnerability, it should not be made public until it is fixed
|
|
I didn't say it wasn't. Read the policy which is an option when you try to create a new issue, it shows how to submit a vulnerability. |
|
okay |
|
And probably it's the file:// "vulnerability". |
|
I have sent an email, have you received it? |
|
Yes, thanks, I got it and replied. |
|
Check your spam folder if you didn't get my email. |
|
I have received your email, you said "Do you have a CVE for it? ".
you mean "do I need request a CVE"?
I want to Create draft security advisory in Github repository and request a CVE, this requires you to give me permission to "New draft security advisory"
…------------------ 原始邮件 ------------------
发件人: "laurent22/joplin" ***@***.***>;
发送时间: 2022年1月11日(星期二) 晚上11:56
***@***.***>;
***@***.******@***.***>;
主题: Re: [laurent22/joplin] Remote Code Execution vulnerability (Issue #6004)
Check your spam folder if you didn't get my email.
—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>
|
|
excuse me, I can't understand your mean. Maybe, should I request CVE in https://cveform.mitre.org ? |
|
The CVE is up to you, we don't deal with this part. And of course it's not required, we'll fix the bug regardless. |
|
Let's leave the report open actually, so that we can link to it when fixing the issue. |
laurent22
added
desktop
|
I have a question, if the vulnerability is meant to be kept from public eye until a fix is made/distributed, doesn't that commit reveal it before this fix is distributed, especially seeing that this fix now only went to a pre-release, not a new stable release? Have I misunderstood something about this? I guess it's impossible to commit something that isn't publicly shown in github, but then vulnerability fixes should pushed straight to stable releases? |
|
It depends on the vulnerability. This one is difficult to exploit and thus it was decided to make the fix available from the pre-release. |
Jopin Remote Code Execution
Description
Joplin is powered by Eelectron. When the victim press
Ctrl+Pto search content, if the payload is near the content(before the content), we can remotely execute any JavaScript code on the victim's computer.Affected versions of Joplin
Joplin version: Joplin 2.6.10
Platform: Windows
OS specifics: Windows 11
PoC
calc.exeto corresponding command)Ctrl+Pand inputwh1sperThe text was updated successfully, but these errors were encountered: