Content Injection

Affecting remarkable package, versions <1.4.1

Do your applications use this vulnerable package? Test your applications

Overview

Certain input when passed into remarkable will bypass the bad prototcol check that disallows the javascript: scheme allowing for javascript: url's to be injected into the rendered content.

Source: Node Security Project

Details

Example:

[link](<javascript:alert(1)>)

This will be turned into <a href="javascript:alert(1)">link</a>

where as

[link](javascript:alert(1))

Would be rendered as [link](javascript:alert(1)) because it's an invalid scheme.

Remediation

Upgrade to version 1.4.1 or greater

References

CVSS Score

6.5
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    Low
  • Availability
    None
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:H/RL:O/RC:C
Credit
Adam Baldwin
CVE
CVE-2014-10065
CWE
CWE-74
Snyk ID
npm:remarkable:20141113
Disclosed
13 Nov, 2014
Published
13 Nov, 2014