Possible inject arbitrary `CSS` into the generated graph affecting the container HTML
- Severity:
- Medium
Description
An attacker is able to inject arbitrary CSS into the generated graph allowing them to change the styling of elements outside of the generated graph, and potentially exfiltrate sensitive information by using specially crafted CSS selectors.
Recommendation
Update the mermaid package to the latest compatible version. Followings are version details:
- Affected version(s): >= 8.0.0, < 9.1.2
- Patched version(s): 9.1.2
References
Related Issues
- Unsanitized JavaScript code injection possible in gatsby-plugin-mdx - CVE-2022-25863
- jquery-validation Regular Expression Denial of Service due to arbitrary input to url2 method - CVE-2022-31147
- Joplin is vulnerable to arbitrary code execution - CVE-2022-35131
- React Editable Json Tree vulnerable to arbitrary code execution via function parsing - CVE-2022-36010
- Tags:
- npm
- mermaid
Anything's wrong? Let us know Last updated on July 21, 2023