Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1wM3JwLXZtajktZ3Y2ds0g-Q
Incorrect sanitisation function leads to `XSS` in mermaid
Impact
Malicious diagrams can contain javascript code that can be run at diagram readers machines.
Patches
The users should upgrade to version 8.13.8
Workarounds
You need to upgrade in order to avoid this issue.
Permalink: https://github.com/advisories/GHSA-p3rp-vmj9-gv6vJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1wM3JwLXZtajktZ3Y2ds0g-Q
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 2 years ago
Updated: over 1 year ago
CVSS Score: 7.2
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-p3rp-vmj9-gv6v, CVE-2021-43861
References:
- https://github.com/mermaid-js/mermaid/security/advisories/GHSA-p3rp-vmj9-gv6v
- https://nvd.nist.gov/vuln/detail/CVE-2021-43861
- https://github.com/mermaid-js/mermaid/commit/066b7a0d0bda274d94a2f2d21e4323dab5776d83
- https://github.com/mermaid-js/mermaid/releases/tag/8.13.8
- https://github.com/advisories/GHSA-p3rp-vmj9-gv6v
Blast Radius: 29.7
Affected Packages
npm:mermaid
Dependent packages: 554Dependent repositories: 13,441
Downloads: 2,705,435 last month
Affected Version Ranges: < 8.13.8
Fixed in: 8.13.8
All affected versions: 0.2.11, 0.2.12, 0.2.13, 0.2.14, 0.2.15, 0.2.16, 0.3.0, 0.3.2, 0.3.3, 0.3.4, 0.3.5, 0.4.0, 0.5.0, 0.5.1, 0.5.2, 0.5.3, 0.5.4, 0.5.5, 0.5.6, 0.5.7, 0.5.8, 6.0.0, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.12, 7.0.13, 7.0.14, 7.0.15, 7.0.16, 7.0.17, 7.0.18, 7.1.0, 7.1.1, 7.1.2, 8.0.0, 8.1.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.3.0, 8.3.1, 8.4.0, 8.4.1, 8.4.2, 8.4.3, 8.4.4, 8.4.5, 8.4.6, 8.4.7, 8.4.8, 8.5.0, 8.5.1, 8.5.2, 8.6.0, 8.6.1, 8.6.2, 8.6.3, 8.6.4, 8.7.0, 8.8.0, 8.8.1, 8.8.2, 8.8.3, 8.8.4, 8.9.0, 8.9.1, 8.9.2, 8.9.3, 8.10.1, 8.10.2, 8.11.0, 8.11.1, 8.11.2, 8.11.3, 8.11.4, 8.11.5, 8.12.0, 8.12.1, 8.13.0, 8.13.1, 8.13.2, 8.13.3, 8.13.4, 8.13.5, 8.13.6, 8.13.7
All unaffected versions: 8.13.8, 8.13.9, 8.13.10, 8.14.0, 9.0.0, 9.0.1, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.3.0, 9.4.0, 9.4.2, 9.4.3, 10.0.0, 10.0.1, 10.0.2, 10.1.0, 10.2.0, 10.2.1, 10.2.2, 10.2.3, 10.2.4, 10.3.0, 10.3.1, 10.4.0, 10.5.0, 10.5.1, 10.6.0, 10.6.1, 10.7.0, 10.8.0, 10.9.0