Cross-Site Scripting in mermaid (GHSA-w32g-5hqp-gg6q)

Description

Versions of mermaid prior to 8.2.3 are vulnerable to Cross-Site Scripting. If malicious input such as A["<img src=invalid onerror=alert('XSS')></img>"] is provided to the application, it will execute the code instead of rendering it as text due to improper output encoding.

Recommendation

Update the mermaid package to the latest compatible version. Followings are version details:

• Affected version(s): < 8.2.3
• Patched version(s): 8.2.3

References

• GHSA-w32g-5hqp-gg6q
• www.npmjs.com
• CWE-79
• OWASP 2021-A3

Related Issues

• Cross-Site Scripting in swagger-ui (GHSA-4f9m-pxwh-68hg) - Vulnerability
• Cross-Site Scripting in swagger-ui (GHSA-vp93-gcx5-4w52) - Vulnerability
• Cross-Site Scripting in swagger-ui (GHSA-w992-2gmj-9xxj) - Vulnerability
• Cross-Site Scripting in bootstrap-select (GHSA-9r7h-6639-v5mw) - Vulnerability

Tags:

npm

mermaid