CVE-2017-16006

EPSS 0.24%

XSS in Data URI in remarkable

Published: 11/9/2018Modified: 11/8/2023

Description

Affected versions of `remarkable` are vulnerable to cross-site scripting. Vulnerable versions of the package allow the use of `data:` URIs in links, and can therefore execute javascript. ## Proof of Concept ```markdown [link](data:text/html,<script>alert('0')</script>) ``` ## Recommendation Update to v1.7.0 or later

Affected packages (1)

npm/remarkablefrom 0, < 1.7.0

References (4)

ADVISORYhttps://github.com/advisories/GHSA-mrmf-qwxg-7c3h
ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2017-16006
WEBhttps://github.com/jonschlinkert/remarkable/issues/227
WEBhttps://www.npmjs.com/advisories/319