Description
Versions of diagram-js prior to 3.3.1 (for 3.x) and 2.6.2 (for 2.x) are vulnerable to Cross-Site Scripting. The package fails to escape output of user-controlled input in search-pad, allowing attackers to execute arbitrary JavaScript.
Recommendation
Update the diagram-js package to the latest compatible version. Followings are version details:
Affected version(s): **>= 3.0.0, < 3.3.1 < 2.6.2** Patched version(s): **3.3.1 2.6.2**
References
Related Issues
- Cloudflare Agents has a Reflected Cross-Site Scripting (XSS) vulnerability in AI Playground site - Vulnerability
- bootstrap Cross-site Scripting vulnerability - bootstrap - CVE-2018-20677
- bootstrap Cross-site Scripting vulnerability - bootstrap-sass - GHSA-ph58-4vrj-w6hr - CVE-2018-20677
- Cross-Site Scripting in snekserve - Vulnerability
You might also like:
- Tags:
- npm
- diagram-js
Anything's wrong? Let us know Last updated on October 03, 2023


