CVE-2024-55630 LOW

CVE-2024-55630: DOM Clobbering leads to temporary DOS in the note viewer in Joplin

Vendor Laurent22
Product joplin
Weakness CWE-20 · Input validation
Published February 7, 2025
Last update February 10, 2025

CVSS base score

3.3/10
Attack vector Local
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

What the vulnerability does

01Description

Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. Joplin's HTML sanitizer allows the `name` attribute to be specified. If `name` is set to the same value as an existing `document` property (e.g. `querySelector`), that property is replaced with the element. This vulnerability's only known impact is denial of service. The note viewer fails to refresh until closed and re-opened with a different note. This issue has been addressed in version 3.2.8 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

Key dates

02Disclosure timeline

February 7, 2025 CVE published
February 10, 2025 Record updated