npm package
remarkable
pkg:npm/remarkable
Vulnerabilities (4)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2019-12043 | — | < 1.7.2 | 1.7.2 | May 13, 2019 | In remarkable 1.7.1, lib/parser_inline.js mishandles URL filtering, which allows attackers to trigger XSS via unprintable characters, as demonstrated by a \x0ejavascript: URL. | ||
| CVE-2019-12041 | — | < 1.7.2 | 1.7.2 | May 13, 2019 | lib/common/html_re.js in remarkable 1.7.1 allows Regular Expression Denial of Service (ReDoS) via a CDATA section. | ||
| CVE-2017-16006 | — | < 1.7.0 | 1.7.0 | Jun 4, 2018 | Remarkable is a markdown parser. In versions 1.6.2 and lower, remarkable allows the use of `data:` URIs in links and can therefore execute javascript. | ||
| CVE-2014-10065 | — | < 1.4.1 | 1.4.1 | May 31, 2018 | Certain input when passed into remarkable before 1.4.1 will bypass the bad protocol check that disallows the javascript: scheme allowing for javascript: url's to be injected into the rendered content. |
- CVE-2019-12043May 13, 2019affected < 1.7.2fixed 1.7.2
In remarkable 1.7.1, lib/parser_inline.js mishandles URL filtering, which allows attackers to trigger XSS via unprintable characters, as demonstrated by a \x0ejavascript: URL.
- CVE-2019-12041May 13, 2019affected < 1.7.2fixed 1.7.2
lib/common/html_re.js in remarkable 1.7.1 allows Regular Expression Denial of Service (ReDoS) via a CDATA section.
- CVE-2017-16006Jun 4, 2018affected < 1.7.0fixed 1.7.0
Remarkable is a markdown parser. In versions 1.6.2 and lower, remarkable allows the use of `data:` URIs in links and can therefore execute javascript.
- CVE-2014-10065May 31, 2018affected < 1.4.1fixed 1.4.1
Certain input when passed into remarkable before 1.4.1 will bypass the bad protocol check that disallows the javascript: scheme allowing for javascript: url's to be injected into the rendered content.