mermaid is vulnerable to cross-site scripting. The vulnerability exists in the sanitizeUrl
function in the svgDraw.js
, allowing an attacker to inject and execute malicious javascript through the malicious diagrams.
CPE | Name | Operator | Version |
---|---|---|---|
mermaid | le | 8.13.7 | |
mermaid | le | 8.13.7 | |
mermaid | le | 8.13.7 | |
mermaid | le | 8.13.7 | |
node-mermaid:sid | eq | 8.7.0+ds+~cs27.17.17-2 | |
node-mermaid:bullseye | eq | 8.7.0+ds+~cs27.17.17-2 |
github.com/advisories/GHSA-p3rp-vmj9-gv6v
github.com/mermaid-js/mermaid/commit/066b7a0d0bda274d94a2f2d21e4323dab5776d83
github.com/mermaid-js/mermaid/commit/f4c335ad2f4059b3fbf9114f37440e77f8ca9a4d
github.com/mermaid-js/mermaid/releases/tag/8.13.8
github.com/mermaid-js/mermaid/security/advisories/GHSA-p3rp-vmj9-gv6v