CVE-2023-45673: 
NixOS vulnerability analysis and mitigation

Joplin is a free, open source note taking and to-do application. A remote code execution (RCE) vulnerability in affected versions allows clicking on a link in a PDF in an untrusted note to execute arbitrary shell commands. The vulnerability exists because Joplin desktop has not disabled top redirection for note viewer iframes and has node integration enabled. This issue has been addressed in version 2.13.3 (GitHub Advisory, NVD).

The vulnerability occurs when clicking links in PDFs within untrusted notes. The root cause is that Joplin desktop failed to disable top redirection for note viewer iframes and had node integration enabled. While there was existing code to prevent navigation away from the root HTML page, this protection could be bypassed when the 'show tray icon' setting was enabled (default on Windows/MacOS). The vulnerability has been assigned a CVSS v3.1 base score of 8.9 HIGH with vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L (GitHub Advisory).

This vulnerability allows attackers to achieve remote code execution by having a user click on a malicious link within a PDF in an untrusted note. The impact is particularly severe when the tray icon feature is enabled, which is the default setting on Windows and MacOS systems. An attacker can execute arbitrary shell commands in the context of the application (GitHub Advisory).

The vulnerability has been patched in version 2.13.3. Users are advised to upgrade to this version. There are no known workarounds for this vulnerability (NVD).