CVE-2014-10065
Content Injection in remarkable
EPSS 0.24%
Description
Versions 1.4.0 and earlier of `remarkable` are affected by a cross-site scripting vulnerability. This occurs because vulnerable versions of `remarkable` did not properly whitelist link protocols, and consequently allowed `javascript:` to be used. ### Proof of Concept Markdown Source: ``` [link](<javascript:alert(1)>) ``` Rendered HTML: ``` <a href="javascript:alert(1)">link</a> ``` ## Recommendation Update to version 1.4.1 or later
How to fix CVE-2014-10065
To remediate CVE-2014-10065, upgrade the affected package to a fixed version below.
- —upgrade to 1.4.1 or later
Is CVE-2014-10065 being exploited?
Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 1.4.1