Possible inject arbitrary `CSS` into the generated graph affecting the container HTML

Severity:: Medium

Description

An attacker is able to inject arbitrary CSS into the generated graph allowing them to change the styling of elements outside of the generated graph, and potentially exfiltrate sensitive information by using specially crafted CSS selectors.

Recommendation

Update the mermaid package to the latest compatible version. Followings are version details:

Affected version(s): >= 8.0.0, < 9.1.2
Patched version(s): 9.1.2

References

GHSA-x3vm-38hw-55wf
CVE-2022-31108
CWE-74
CWE-79
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

Joplin is vulnerable to arbitrary code execution - CVE-2022-35131
Raneto Denial of Service via crafted payload injected into `Search` parameter - CVE-2022-35142
nadesiko3 allows remote attacker to inject invalid value to decodeURIComponent of nako3edit - CVE-2022-41777
jquery-validation Regular Expression Denial of Service due to arbitrary input to url2 method - CVE-2022-31147

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:: npm; mermaid

Anything's wrong? Let us know Last updated on July 21, 2023