Cyber Resilience

CVE-2022-35131

CriticalPublic PoC

Published: 25 July 2022

Published
25 July 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.0 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.1533 94.8th percentile
Risk Priority 27 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-35131 is a critical-severity Cross-site Scripting (CWE-79) vulnerability in Joplinapp Joplin. Its CVSS base score is 9.0 (Critical).

Operationally, ranked in the top 5.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

Joplin version 2.8.8 contains a vulnerability that permits arbitrary command execution through a crafted payload placed in note titles. The issue is tracked as CVE-2022-35131 with a CVSS score of 9.0 and is associated with CWE-79. It affects the desktop application when processing specially formatted node titles supplied by an attacker.

An authenticated user can supply malicious input that is later rendered for another user, resulting in command execution on the victim system with high impact to confidentiality, integrity, and availability. The attack requires user interaction such as viewing the affected note and can cross security boundaries due to the changed scope in the CVSS vector.

The project released version 2.9.1 to address the flaw, as indicated in the official GitHub tags and project site. A public proof-of-concept repository also documents the title-based injection technique, confirming the need to upgrade from the vulnerable release. The EPSS score has remained steady at 0.1533 with no material increase after disclosure.

EU & UK References

Vulnerability details

Joplin v2.8.8 allows attackers to execute arbitrary commands via a crafted payload injected into the Node titles.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

joplinapp
joplin
2.8.8

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-79

Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.

addresses: CWE-79

Validates web inputs to reject script-related content that could produce XSS.

addresses: CWE-79

Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.

References