Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWg5d3IteHI0ci02NmZo

Cross-Site Scripting in dmn-js-properties-panel

Versions of dmn-js-properties-panel prior to 0.8.0 are vulnerable to Cross-Site Scripting (XSS). The package fails to sanitize input in specially configured diagrams, which may allow attackers to inject arbitrary JavaScript in the embedding website.

Recommendation

Upgrade to version 0.3.0 or later.

Permalink: https://github.com/advisories/GHSA-h9wr-xr4r-66fh
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWg5d3IteHI0ci02NmZo
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 4 years ago
Updated: almost 2 years ago


Identifiers: GHSA-h9wr-xr4r-66fh
References: Blast Radius: 0.0

Affected Packages

npm:dmn-js-properties-panel
Dependent packages: 11
Dependent repositories: 32
Downloads: 13,667 last month
Affected Version Ranges: < 0.3.0
Fixed in: 0.3.0
All affected versions: 0.1.0, 0.1.1, 0.1.2, 0.2.0
All unaffected versions: 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.3.4, 0.3.5, 0.4.0, 0.5.0, 0.6.0, 0.6.1, 0.6.2, 0.7.0, 1.0.0, 1.1.0, 1.1.1, 1.1.2, 1.2.0, 1.2.1, 1.2.2, 1.3.0, 1.3.1, 1.3.2, 2.0.0, 3.0.0, 3.1.0, 3.2.0, 3.2.1, 3.3.0, 3.3.1, 3.3.2, 3.4.0, 3.4.1, 3.5.0, 3.5.1, 3.5.2