CVE-2019-12043
XSS vulnerability in remarkable (npm)

XSS No known exploit

What is CVE-2019-12043 About?

This vulnerability is an XSS (Cross-Site Scripting) flaw in remarkable 1.7.1, stemming from improper URL filtering. It allows attackers to inject malicious scripts into web pages via specially crafted URLs containing unprintable characters. Exploitation is relatively easy as it leverages existing input mechanisms.

Affected Software

remarkable <1.7.2

Technical Details

The vulnerability resides in the lib/parser_inline.js component of remarkable 1.7.1, where URL filtering mechanisms fail to properly sanitize input. Specifically, the parser mishandles URLs containing unprintable characters (e.g., \x0e). An attacker can craft a URL such as \x0ejavascript:alert(document.cookie) which, due to the inadequate filtering, bypasses security checks. When this crafted URL is processed or rendered, the javascript: scheme is recognized and executed, leading to a Cross-Site Scripting attack in the victim's browser context.

What is the Impact of CVE-2019-12043?

Successful exploitation may allow attackers to execute arbitrary client-side script code, hijack user sessions, deface web pages, redirect users to malicious sites, or perform other unauthorized actions within the context of the user's browser.

What is the Exploitability of CVE-2019-12043?

Exploitation of this XSS vulnerability is of low to moderate complexity. It typically requires an attacker to inject a specially crafted URL containing unprintable characters into a web application that uses the vulnerable library. No authentication is explicitly required for the injection itself, but the victim must interact with the crafted URL or content where it is rendered. The attacker needs to deliver the malicious URL to a victim, perhaps through phishing or by embedding it on a compromised site. This is a client-side attack, meaning the attacker targets the end-user's browser rather than direct server compromise. The primary prerequisite is for the application to use the vulnerable version of remarkable.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for CVE-2019-12043?

Available Upgrade Options

  • remarkable
    • <1.7.2 → Upgrade to 1.7.2

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2019-12043?

Similar Vulnerabilities: CVE-2023-38545 , CVE-2023-38146 , CVE-2023-34062 , CVE-2023-34316 , CVE-2023-28434

All Rights reserved 2025
Privacy Policy