Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Github Dependency Security Alert #338

Closed
will-amaral opened this issue Jun 6, 2019 · 3 comments
Closed

Github Dependency Security Alert #338

will-amaral opened this issue Jun 6, 2019 · 3 comments

Comments

@will-amaral
Copy link

There are two security alerts regarding the 1.7.1 npm version.

More specifically:

high severity
Vulnerable versions: <= 1.7.1
Patched version: No fix
lib/common/html_re.js in remarkable 1.7.1 allows Regular Expression Denial of Service (ReDoS) via a CDATA section.

CVE-2019-12043 More information
moderate severity
Vulnerable versions: <= 1.7.1
Patched version: No fix
In remarkable 1.7.1, lib/parser_inline.js mishandles URL filtering, which allows attackers to trigger XSS via unprintable characters, as demonstrated by a \x0ejavascript: URL.

Are there any plans for a new version to patch this issues.
@eahefnawy
Copy link

Facing the same issue

@claudiopro
Copy link

This is a duplicate of #332

@shockey
Copy link
Collaborator

shockey commented Jul 19, 2019

Closing as a duplicate of #331 + #332.

@shockey shockey closed this as completed Jul 19, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@shockey @claudiopro @eahefnawy @will-amaral