Naturally Produced Modules
remarkable

Content Injection

Severity: high

Overview

Versions 1.4.0 and earlier of remarkable are affected by a cross-site scripting vulnerability. This occurs because vulnerable versions of remarkable did not properly whitelist link protocols, and consequently allowed javascript: to be used.

Proof of Concept

Markdown Source:

[link](<javascript:alert(1)>)

Rendered HTML:

<a href="javascript:alert(1)">link</a>

Remediation

Update to version 1.4.1 or later

Vulnerable versions

0.1.0
4 years ago
1.0.0
4 years ago
1.1.0
4 years ago
1.1.1
4 years ago
1.1.2
4 years ago
1.2.0
4 years ago
1.2.1
4 years ago
1.2.2
4 years ago
1.3.0
4 years ago
1.4.0
4 years ago

Unaffected versions

1.4.1
4 years ago
1.4.2
4 years ago
1.5.0
4 years ago
1.6.0
4 years ago
1.6.1
3 years ago
1.6.2
3 years ago
1.7.0
2 years ago
1.7.1
2 years ago

Advisory timeline

  1. Published

    Advisory published
    Nov 13th, 2014
  2. Reported

    Initial report by Adam Baldwin
    Oct 17th, 2015