Skip to content

XSS in Data URI in remarkable

High severity GitHub Reviewed Published Nov 9, 2018 to the GitHub Advisory Database • Updated Sep 8, 2023

Package

npm remarkable (npm)

Affected versions

<= 1.6.2

Patched versions

1.7.0

Description

Affected versions of remarkable are vulnerable to cross-site scripting. Vulnerable versions of the package allow the use of data: URIs in links, and can therefore execute javascript.

Proof of Concept

[link](data:text/html,<script>alert('0')</script>)

Recommendation

Update to v1.7.0 or later

References

Published to the GitHub Advisory Database Nov 9, 2018
Reviewed Jun 16, 2020
Last updated Sep 8, 2023

Severity

High

EPSS score

0.070%
(32nd percentile)

Weaknesses

CVE ID

CVE-2017-16006

GHSA ID

GHSA-mrmf-qwxg-7c3h

Source code

No known source code
Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.