Cross-site Scripting in ZenUML

Description

Markdown-based comments in the ZenUML diagram syntax are susceptible to Cross-site Scripting (XSS).

Recommendation

Update the @zenuml/core package to the latest compatible version. Followings are version details:

• Affected version(s): < 3.23.25
• Patched version(s): 3.23.25

References

• GHSA-q6xv-jm4v-349h
• CVE-2024-38527
• CWE-79
• CWE-80
• CAPEC-310
• OWASP 2021-A3
• OWASP 2021-A6

Related Issues

• vue-template-compiler vulnerable to client-side Cross-Site Scripting (XSS) - CVE-2024-6783
• Stimulsoft Dashboard.JS Cross Site Scripting vulnerability - CVE-2024-24396
• Cross-site Scripting in electron-pdf - CVE-2024-1648
• Stimulsoft Dashboard.JS Cross Site Scripting vulnerability (GHSA-9cgf-pxwq-2cpw) - CVE-2024-24397

Tags:

npm

@zenuml/core