Description
Versions of diagram-js prior to 3.3.1 (for 3.x) and 2.6.2 (for 2.x) are vulnerable to Cross-Site Scripting. The package fails to escape output of user-controlled input in search-pad, allowing attackers to execute arbitrary JavaScript.
Recommendation
Update the diagram-js package to the latest compatible version. Followings are version details:
Affected version(s): **>= 3.0.0, < 3.3.1 < 2.6.2** Patched version(s): **3.3.1 2.6.2**
References
Related Issues
- PostCSS line return parsing error - CVE-2023-44270
- mavo DOM Clobbering vulnerability - CVE-2024-53388
- Cube API denial of service attack - CVE-2023-50709
- Prototype Pollution in protobufjs - CVE-2022-25878
- Tags:
- npm
- diagram-js
Anything's wrong? Let us know Last updated on October 03, 2023