Cross-Site Scripting in diagram-js

Severity:: Medium

Description

Versions of diagram-js prior to 3.3.1 (for 3.x) and 2.6.2 (for 2.x) are vulnerable to Cross-Site Scripting. The package fails to escape output of user-controlled input in search-pad, allowing attackers to execute arbitrary JavaScript.

Recommendation

Update the diagram-js package to the latest compatible version. Followings are version details:

Affected version(s): **>= 3.0.0, < 3.3.1 < 2.6.2**
Patched version(s): **3.3.1 2.6.2**

References

GHSA-8fw4-xh83-3j6q
bpmn.io
CWE-79
OWASP 2021-A3

Related Issues

Cross-Site Scripting in bootstrap-select (GHSA-9r7h-6639-v5mw) - Vulnerability
Froala Editor Cross-site Scripting vulnerability - CVE-2023-41592
Cross Site Scripting vulnerability in store2 - CVE-2024-57556
@dependencytrack/frontend vulnerable to Persistent Cross-Site-Scripting via Vulnerability Details - CVE-2022-39350

Tags:: npm; diagram-js

Anything's wrong? Let us know Last updated on October 03, 2023