CVE-2019-12184

Name of the Vulnerable Software and Affected Versions Boostnote version 0.11.15

Description The issue is related to a XSS in the browser/components/MarkdownPreview.js component. It can be triggered via a label named flowchart, sequence, gallery, or chart. A crafted SRC attribute of an IFRAME element can be used to exploit this issue.

Recommendations For Boostnote version 0.11.15, consider disabling the Markdown preview feature until a patch is available. Restrict access to the MarkdownPreview.js component to minimize the risk of exploitation. Avoid using labels named flowchart, sequence, gallery, or chart in the affected component until the issue is resolved.