Описание
Mermaid improperly sanitizes sequence diagram labels leading to XSS
Summary
In the default configuration of mermaid 11.9.0, user supplied input for sequence diagram labels is passed to innerHTML during calculation of element size, causing XSS.
Details
Sequence diagram node labels with KaTeX delimiters are passed through calculateMathMLDimensions. This method passes the full label to innerHTML which allows allows malicious users to inject arbitrary HTML and cause XSS when mermaid-js is used in it's default configuration (with KaTeX support enabled).
The vulnerability lies here:
The calculateMathMLDimensions method was introduced in 5c69e5fdb004a6d0a2abe97e23d26e223a059832 two years ago, which was released in Mermaid 10.9.0.
PoC
Render the following diagram and observe the modified DOM.
Impact
XSS on all sites that use mermaid and render user supplied diagrams without further sanitization.
Remediation
The value of the text argument for the calculateMathMLDimensions method needs to be sanitized before getting passed on to innerHTML.
Ссылки
Пакеты
mermaid
>= 11.0.0-alpha.1, < 11.10.0
11.10.0
mermaid
>= 10.9.0-rc.1, < 10.9.4
10.9.4
Связанные уязвимости
Mermaid is a JavaScript based diagramming and charting tool that uses Markdown-inspired text definitions and a renderer to create and modify complex diagrams. In the default configuration of mermaid 10.9.0-rc.1 to 11.9.0, user supplied input for sequence diagram labels is passed to innerHTML during calculation of element size, causing XSS.
Mermaid is a JavaScript based diagramming and charting tool that uses Markdown-inspired text definitions and a renderer to create and modify complex diagrams. In the default configuration of mermaid 10.9.0-rc.1 to 11.9.0, user supplied input for sequence diagram labels is passed to innerHTML during calculation of element size, causing XSS.
Mermaid is a JavaScript based diagramming and charting tool that uses ...