Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLThmdzQteGg4My0zajZx
Cross-Site Scripting in diagram-js
Versions of diagram-js prior to 3.3.1 (for 3.x) and 2.6.2 (for 2.x) are vulnerable to Cross-Site Scripting. The package fails to escape output of user-controlled input in search-pad, allowing attackers to execute arbitrary JavaScript.
Recommendation
If you are using diagram-js 3.x, upgrade to version 3.3.1. If you are using diagram-js 2.x, upgrade to version 2.6.2.
Permalink: https://github.com/advisories/GHSA-8fw4-xh83-3j6qJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLThmdzQteGg4My0zajZx
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 3 years ago
Updated: 9 months ago
Identifiers: GHSA-8fw4-xh83-3j6q
References:
- https://www.npmjs.com/advisories/982
- https://github.com/bpmn-io/diagram-js
- https://github.com/advisories/GHSA-8fw4-xh83-3j6q
Affected Packages
npm:diagram-js
Versions: >= 3.0.0, < 3.3.1, < 2.6.2Fixed in: 3.3.1, 2.6.2