CVE-2021-33295: 
JavaScript vulnerability analysis and mitigation

A Cross-Site Scripting (XSS) vulnerability was discovered in Joplin Desktop App versions before 1.8.5, identified as CVE-2021-33295. The vulnerability allowed attackers to execute arbitrary code due to improper sanitization of HTML content. The issue was discovered by Jubair Rehman Yousafzai and was fixed with the release of version 1.8.5 (Joplin Release).

The vulnerability stemmed from improper sanitization of HTML content, specifically related to the handling of NOSCRIPT tags. The fix involved updating the disallowedTags array in the sanitizeHtml function to include 'noscript' among other restricted tags like 'script', 'iframe', 'frameset', 'frame', 'object', 'base', 'embed', 'link', and 'meta' (Joplin Patch). The vulnerability received a CVSS v3.1 base score of 5.4 (MEDIUM) with vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N (NVD).

The vulnerability allowed attackers to execute arbitrary code through cross-site scripting attacks, potentially compromising user data and application security. The impact was rated as medium severity, affecting confidentiality and integrity of the application (NVD).

The vulnerability was fixed in Joplin Desktop App version 1.8.5. Users are advised to upgrade to this version or later to mitigate the security risk. The fix includes additional security measures for HTML sanitization by adding NOSCRIPT to the list of disallowed tags (Joplin Release).