CVE-2014-10065: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

August 31, 2020 (updated January 8, 2021)

Certain input when passed into remarkable before 1.4.1 will bypass the bad protocol check that disallows the javascript: scheme allowing for javascript: url’s to be injected into the rendered content.

References

github.com/advisories/GHSA-f9vc-q3hh-qhfv
github.com/jonschlinkert/remarkable/issues/97
nodesecurity.io/advisories/30
nvd.nist.gov/vuln/detail/CVE-2014-10065
www.npmjs.com/advisories/30

Detect and mitigate CVE-2014-10065 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →