CVE-2020-16608: 
NixOS vulnerability analysis and mitigation

Notable 1.8.4, a Markdown-based note-taking app, contains a vulnerability identified as CVE-2020-16608. The vulnerability allows attackers to perform Cross-Site Scripting (XSS) attacks via crafted Markdown text, which can lead to remote code execution due to nodeIntegration being enabled in webPreferences (Notable Github, Security Blog).

The vulnerability exists due to improper sanitization of input in the markdown parser combined with nodeIntegration being set to true in the Electron application's configuration. When nodeIntegration is enabled, it grants web pages full access to Node.js APIs, which can be exploited through XSS to execute arbitrary code on the system (Security Blog).

The vulnerability allows attackers to execute arbitrary code on the victim's system through crafted markdown files. An attacker could potentially gain complete access to the victim's system by executing malicious payloads, either local or remote, when the markdown file is parsed (Security Blog).

The vulnerability was reported to the developer on April 24, 2020. While the developer acknowledged the issue and indicated it would be fixed in future builds, as of version 1.9.0-beta, the vulnerability remained unfixed. Users should exercise caution when opening untrusted markdown files in affected versions (Security Blog).