CVE-2017-16006 — XSS in Data URI in remarkable

Description

Affected versions of `remarkable` are vulnerable to cross-site scripting. Vulnerable versions of the package allow the use of `data:` URIs in links, and can therefore execute javascript. ## Proof of Concept ```markdown [link](data:text/html,<script>alert('0')</script>) ``` ## Recommendation Update to v1.7.0 or later

How to fix CVE-2017-16006

To remediate CVE-2017-16006, upgrade the affected package to a fixed version below.

npm/remarkable—upgrade to 1.7.0 or later

Is CVE-2017-16006 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 1.7.0

References (4)

ADVISORYgithub.com/advisories/GHSA-mrmf-qwxg-7c3h
ADVISORYnvd.nist.gov/vuln/detail/CVE-2017-16006
WEBgithub.com/jonschlinkert/remarkable/issues/227
WEBwww.npmjs.com/advisories/319