Do your applications use this vulnerable package?
Test your applications
Overview
remarkable is a markdown parsing library written in Javascript.
Affected versions of this package are vulnerable to Content Injection. Certain input when passed into remarkable will bypass the bad prototcol check that disallows the javascript: scheme allowing for javascript: url's to be injected into the rendered content.
Details
Example:
[link](<javascript:alert(1)>)
This will be turned into <a href="javascript:alert(1)">link</a>
where as
[link](javascript:alert(1))
Would be rendered as [link](javascript:alert(1))
because it's an invalid scheme.
Remediation
Upgrade remarkable
to version 1.4.1 or higher.
References
CVSS Score
6.5
medium severity
-
Attack VectorNetwork
-
Attack ComplexityLow
-
Privileges RequiredNone
-
User InteractionNone
-
ScopeUnchanged
-
ConfidentialityLow
-
IntegrityLow
-
AvailabilityNone
- Credit
- Adam Baldwin
- CVE
- CVE-2014-10065
- CWE
- CWE-74
- Snyk ID
- npm:remarkable:20141113
- Disclosed
- 13 Nov, 2014
- Published
- 13 Nov, 2014