CVE-2023-38506 – Joplin note-taking application has a cross-site... (How to Fix)

Q: What is the severity of CVE-2023-38506?

CVE-2023-38506 has a CVSS score of 8.2 (HIGH). Joplin note-taking application has a cross-site scripting (XSS) vulnerability where pasting untrusted HTML into the rich text editor can execute arbitrary JavaScript. This JavaScript can access NodeJS's require function through the top variable, potentially allowing remote code execution. All Joplin users with vulnerable versions are affected.

📋 TL;DR

Joplin note-taking application has a cross-site scripting (XSS) vulnerability where pasting untrusted HTML into the rich text editor can execute arbitrary JavaScript. This JavaScript can access NodeJS's require function through the top variable, potentially allowing remote code execution. All Joplin users with vulnerable versions are affected.

💻 Affected Systems

Products:

Joplin

Versions: All versions before 2.12.10

Operating Systems: Windows, macOS, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: All installations with rich text editor functionality are vulnerable by default

📦 What is this software?

Joplin by Joplin Project

View all CVEs affecting Joplin →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution allowing full system compromise, data theft, or ransomware deployment through malicious note content

🟠

Likely Case

Local privilege escalation or data exfiltration when users paste malicious content from untrusted sources

🟢

If Mitigated

Limited to isolated application context if proper sandboxing were implemented

🌐 Internet-Facing: MEDIUM - Requires user interaction (pasting malicious content) but could be delivered via phishing

🏢 Internal Only: MEDIUM - Same attack vector applies internally, but requires user interaction

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires user to paste malicious HTML content, but the technical complexity is low once that occurs

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.12.10

Vendor Advisory: https://github.com/laurent22/joplin/security/advisories/GHSA-m59c-9rrj-c399

Restart Required: Yes

Instructions:

1. Open Joplin application 2. Go to Help > Check for updates 3. Follow prompts to update to version 2.12.10 or later 4. Restart Joplin after update completes

🔧 Temporary Workarounds

No known workarounds

all

The vendor advisory states there are no known workarounds for this vulnerability

🧯 If You Can't Patch

Disable rich text editor functionality if possible
Educate users to never paste HTML content from untrusted sources into Joplin

🔍 How to Verify

Check if Vulnerable:

Check Joplin version in Help > About. If version is below 2.12.10, you are vulnerable

Check Version:

On Linux/macOS: joplin --version or check Help > About in GUI

Verify Fix Applied:

After updating, verify version is 2.12.10 or higher in Help > About

📡 Detection & Monitoring

Log Indicators:

Unusual process execution from Joplin context
Network connections to suspicious domains from Joplin

Network Indicators:

Outbound connections to unexpected destinations from Joplin process

SIEM Query:

Process creation where parent_process contains 'joplin' AND (process contains 'cmd.exe' OR process contains 'powershell' OR process contains 'bash')

📊 Metadata

CVE ID: CVE-2023-38506

CVSS v3 Score: 8.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L

CWE: CWE-79

Published: June 21, 2024

Last Updated: April 11, 2025

🔗 References

https://github.com/laurent22/joplin/security/advisories/GHSA-m59c-9rrj-c399 Exploit,Vendor Advisory
https://github.com/laurent22/joplin/security/advisories/GHSA-m59c-9rrj-c399 Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-38506, you might also want to check these: