Description
Versions of diagram-js prior to 3.3.1 (for 3.x) and 2.6.2 (for 2.x) are vulnerable to Cross-Site Scripting. The package fails to escape output of user-controlled input in search-pad, allowing attackers to execute arbitrary JavaScript.
Recommendation
Update the diagram-js package to the latest compatible version. Followings are version details:
Affected version(s): **>= 3.0.0, < 3.3.1 < 2.6.2** Patched version(s): **3.3.1 2.6.2**
References
Related Issues
- Firebase vulnerable to CRSF attack - CVE-2024-4128
- Cube API denial of service attack - CVE-2023-50709
- Prototype Pollution in protobufjs - CVE-2022-25878
- Cross-Site Scripting in highcharts - Vulnerability
- Tags:
- npm
- diagram-js
Anything's wrong? Let us know Last updated on October 03, 2023