CVE-2024-49362: 
JavaScript vulnerability analysis and mitigation

Joplin, a free and open-source note-taking application, was found to contain a vulnerability (CVE-2024-49362) that enables remote code execution (RCE) when a user clicks on a link within untrusted notes. The vulnerability was disclosed on November 14, 2024, affecting Joplin-desktop version 3.0. The issue stems from insufficient sanitization of tag attributes introduced by the Mermaid feature (GitHub Advisory).

The vulnerability occurs in the markdown preview iframe where Joplin only opens links internally within the same Electron window if they contain the data-from-md attribute. While Joplin sanitizes this attribute in user-embedded links from .md files, it fails to sanitize the data-from-md attributes of tags introduced by Mermaid. The application opens windows with nodeIntegration set to true and contextIsolation set to false, allowing scripts to have full access to Node.js APIs. The markdown preview iframe shares the same origin as its parent and lacks sandbox attributes, enabling scripts to call Node.js APIs through window.parent (GitHub Advisory).

This vulnerability allows the execution of untrusted HTML content within the Electron window, which has full access to Node.js APIs, enabling arbitrary shell command execution. When users open and interact with untrusted notes while malicious HTML files are available locally, attackers can achieve Remote Code Execution (GitHub Advisory).

The vulnerability has been patched in Joplin version 3.1. Users are advised to upgrade to this version or later to protect against this security issue (GitHub Advisory).