Описание
XSS in Data URI in remarkable
Affected versions of remarkable are vulnerable to cross-site scripting. Vulnerable versions of the package allow the use of data: URIs in links, and can therefore execute javascript.
Proof of Concept
[link](data:text/html,<script>alert('0')</script>)
Recommendation
Update to v1.7.0 or later
Пакеты
Наименование
remarkable
npm
Затронутые версииВерсия исправления
<= 1.6.2
1.7.0
Связанные уязвимости
CVSS3: 6.1
nvd
больше 7 лет назад
Remarkable is a markdown parser. In versions 1.6.2 and lower, remarkable allows the use of `data:` URIs in links and can therefore execute javascript.