Arbitrary Command Execution Vulnerability in Joplin Version 2.8.8

Arbitrary Command Execution Vulnerability in Joplin Version 2.8.8

CVE-2022-40277 · HIGH Severity

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Joplin version 2.8.8 allows an external attacker to execute arbitrary commands remotely on any client that opens a link in a malicious markdown file, via Joplin. This is possible because the application does not properly validate the schema/protocol of existing links in the markdown file before passing them to the 'shell.openExternal' function.

Learn more about our External Network Penetration Testing.