CVE-2021-37860

Mattermost 5.38 and earlier fails to sufficiently sanitize clipboard contents, which allows a user-assisted attacker to inject arbitrary web script in product deployments that explicitly disable the default CSP...

Cross-Site Scripting

Overview Versions of diagram-js-direct-editing prior to 1.4.3 are vulnerable to Cross-Site Scripting. The package fails to sanitize input from the clipboard, allowing attackers to execute arbitrary JavaScript in the victim's browser. Recommendation Upgrade to version 1.4.3 or later. References -...