remarkable
Content Injection
Overview
Versions 1.4.0 and earlier of remarkable are affected by a cross-site scripting vulnerability. This occurs because vulnerable versions of remarkable did not properly whitelist link protocols, and consequently allowed javascript: to be used.
Proof of Concept
Markdown Source:
[link](<javascript:alert(1)>)
Rendered HTML:
<a href="javascript:alert(1)">link</a>
Remediation
Update to version 1.4.1 or later
Vulnerable versions
- 0.1.0
- 4 years ago
- 1.0.0
- 4 years ago
- 1.1.0
- 4 years ago
- 1.1.1
- 4 years ago
- 1.1.2
- 4 years ago
- 1.2.0
- 4 years ago
- 1.2.1
- 4 years ago
- 1.2.2
- 4 years ago
- 1.3.0
- 4 years ago
- 1.4.0
- 4 years ago
Unaffected versions
- 1.4.1
- 4 years ago
- 1.4.2
- 4 years ago
- 1.5.0
- 4 years ago
- 1.6.0
- 4 years ago
- 1.6.1
- 3 years ago
- 1.6.2
- 3 years ago
- 1.7.0
- 2 years ago
- 1.7.1
- 2 years ago
Advisory timeline
Published
Advisory publishedNov 13th, 2014Reported
Initial report by Adam BaldwinOct 17th, 2015
