Cross-Site Scripting in mermaid

GHSA-w32g-5hqp-gg6q

Published Sep 2, 2020 · Modified Sep 27, 2021

Description

Versions of mermaid prior to 8.2.3 are vulnerable to Cross-Site Scripting. If malicious input such as A["<img src=invalid onerror=alert('XSS')></img>"] is provided to the application, it will execute the code instead of rendering it as text due to improper output encoding.

Recommendation

Upgrade to version 8.2.3 or later

References

WEB https://github.com/knsv/mermaid/issues/847
PACKAGE https://github.com/knsv/mermaid
WEB https://www.npmjs.com/advisories/751

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes