Description
In remarkable 1.7.1, lib/parser_inline.js mishandles URL filtering, which allows attackers to trigger XSS via unprintable characters, as demonstrated by a \x0ejavascript: URL.
Remediation
References
https://github.com/jonschlinkert/remarkable/issues/332
Related Vulnerabilities
CVE-2020-28472 Vulnerability in npm package @aws-sdk/shared-ini-file-loader
CVE-2020-12265 Vulnerability in npm package decompress
CVE-2021-23353 Vulnerability in maven package org.webjars.npm:jspdf
CVE-2022-39322 Vulnerability in npm package @keystone-6/core
CVE-2011-4367 Vulnerability in maven package org.apache.myfaces.core:myfaces-core-project