Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2025-24028

Date: February 7, 2025

Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. This vulnerability is caused by differences between how Joplin's HTML sanitizer handles comments and how the browser handles comments. This affects both the Rich Text Editor and the Markdown viewer. However, unlike the Rich Text Editor, the Markdown viewer is "cross-origin isolated", which prevents JavaScript from directly accessing functions/variables in the toplevel Joplin "window". This issue is not present in Joplin 3.1.24 and may have been introduced in "9b50539". This is an XSS vulnerability that impacts users that open untrusted notes in the Rich Text Editor. This vulnerability has been addressed in version 3.2.12 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

Severity Score

Related Resources (6)

https://joplinapp.org/help/dev/spec/note_viewer_isolation
https://github.com/laurent22/joplin/commit/2a058ed8097c2502e152b26394dc1917897f5817
https://nvd.nist.gov/vuln/detail/CVE-2025-24028
https://github.com/laurent22/joplin/commit/9b505395918bc923f34fe6f3b960bb10e8cf234e
https://github.com/laurent22/joplin/security/advisories/GHSA-5w3c-wph9-hq92
https://www.mend.io/vulnerability-database/CVE-2025-24028

Severity Score

Weakness Type (CWE)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79

CVSS v3.1

Base Score:
Attack Vector (AV): LOCAL
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality (C): HIGH
Integrity (I): HIGH
Availability (A): HIGH

Do you need more information?

Contact Us