Miggo Logo
Miggo Vulnerability Database
CVE-2021-33295

CVE-2021-33295: Joplin Cross Site Scripting Vulnerability via NOSCRIPT tags

5.4

CVSS Score
3.1

Basic Information

CVE ID
CVE-2021-33295
GHSA ID
GHSA-phj8-2p6x-hq5r
EPSS Score
0.48169%
CWE
CWE-79
Published
6/17/2022
Updated
4/23/2024
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
joplinnpm< 1.8.51.8.5

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The commit diff explicitly shows 'noscript' was added to disallowedTags in the sanitizeHtml function. This function is responsible for HTML sanitization, and the absence of 'noscript' in the blocklist before patching allowed XSS vectors. The CVE description and PoC both confirm NOSCRIPT-based XSS exploitation was possible due to inadequate sanitization, directly implicating this sanitization function.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ross Sit* S*riptin* (XSS) vuln*r**ility in Joplin **sktop *pp ***or* *.*.* *llows *tt**k*rs to *x**ut* *ri*r*ry *o** *u* to improp*r s*nitizin* o* *tml.

Reasoning

T** *ommit *i** *xpli*itly s*ows 'nos*ript' w*s ***** to *is*llow**T**s in t** `s*nitiz**tml` *un*tion. T*is *un*tion is r*sponsi*l* *or *TML s*nitiz*tion, *n* t** **s*n** o* 'nos*ript' in t** *lo*klist ***or* p*t**in* *llow** XSS v**tors. T** *V* **