Lucene search

GitHub Advisory DatabaseGHSA-MRMF-QWXG-7C3H

HistoryNov 09, 2018 - 5:48 p.m.

XSS in Data URI in remarkable

2018-11-0917:48:20

CWE-79

GitHub Advisory Database

github.com

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

30.8%

JSON

Affected versions of remarkable are vulnerable to cross-site scripting. Vulnerable versions of the package allow the use of data: URIs in links, and can therefore execute javascript.

Proof of Concept

[link](data:text/html,&lt;script&gt;alert('0')&lt;/script&gt;)

Recommendation

Update to v1.7.0 or later

Affected configurations

Vulners

Node

remarkable_projectremarkableRange≤1.6.2

CPENameOperatorVersion
remarkablele1.6.2

CPE	Name	Operator	Version
	remarkable	le	1.6.2

References

github.com/advisories/GHSA-mrmf-qwxg-7c3h

github.com/jonschlinkert/remarkable/issues/227

nvd.nist.gov/vuln/detail/CVE-2017-16006

www.npmjs.com/advisories/319

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

30.8%

JSON

Related for GHSA-MRMF-QWXG-7C3H