In 2023, a severe vulnerability—CVE-2023-37299—was found in Joplin, the popular open-source note-taking and to-do application. This security hole, hiding in plain sight, allowed attackers to perform cross-site scripting (XSS) by sneaking malicious JavaScript into an AREA element inside an image map. If you’re a Joplin user before version 2.11.5 (desktop, mobile, or web), your data—and your system—was at risk. In this post, I’ll break down the vulnerability, show how a real exploit works, and provide the references you need to learn more.

The Problem in Plain English

Joplin lets users take notes using Markdown which it then converts to HTML for viewing. However, before version 2.11.5, Joplin’s sanitization process overlooked a sneaky attack vector: the HTML <AREA> element. When attackers put a crafted <AREA> tag—used in image maps—inside their notes, they could insert JavaScript into the href attribute, causing the script to run when someone clicks on the map area. This cross-site scripting flaw meant malicious code could be injected, stored, and executed within a user's environment.

Here’s what a malicious note looks like in Markdown

![Map](map.png "Clickable Map"){usemap="#attackmap"}

<map name="attackmap">
  <area shape="rect" coords="34,44,270,350" href="javascript:alert('XSS!')" alt="XSS Area">
</map>

How it works:

Using href="javascript:alert('XSS!')", clicking the area triggers the XSS payload.

Want proof? Try this attack in a sandboxed HTML page. (Do not use in production!)

Why is this Dangerous?

- Stored XSS: The malicious script is saved in the note, so it runs repeatedly for any user who views it.
- Remote Attack: Shared notes, synced notebooks, or third-party exports could all carry the exploit.
- System Impact: If Joplin is running with file system access (as on desktop), attackers might run scripts to exfiltrate data or attack the local machine.

Real-World Exploit Scenario

Imagine you’re sharing notes with your coworkers via a shared Joplin notebook. An attacker adds a note with the malicious image map above. Any teammate who reads that note—especially if they’re using the Joplin desktop app—could have their session cookie or sensitive info stolen instantly. Worse, that XSS could run additional code to drop malware or manipulate other notes.

Patch and Mitigation

The Joplin maintainers patched this in version 2.11.5 by tightening their HTML sanitization routines to block scripts inside AREA elements.

What you must do:

Joplin’s Official Advisory:

- GitHub Security Advisory

CVE Record:

- CVE-2023-37299 at NIST
- Joplin Release Notes 2.11.5

Original Report:

- https://huntr.com/bounties/944059b9-e613-43b2-a8ee-992f99d8b971/

Final Words

CVE-2023-37299 is a strong reminder: always sanitize inputs—and update your apps regularly! If you’re a developer using Markdown and HTML rendering, double-check image map handling and beware of hidden script injection vectors. For users, keeping software updated is the best defense. Joplin handled their bug quickly and transparently—kudos to their team and the security researchers.

Timeline

Published on: 06/30/2023 15:15:00 UTC
Last modified on: 07/06/2023 18:54:00 UTC