Описание
Cross-Site Scripting in diagram-js
Versions of diagram-js prior to 3.3.1 (for 3.x) and 2.6.2 (for 2.x) are vulnerable to Cross-Site Scripting. The package fails to escape output of user-controlled input in search-pad, allowing attackers to execute arbitrary JavaScript.
Recommendation
If you are using diagram-js 3.x, upgrade to version 3.3.1. If you are using diagram-js 2.x, upgrade to version 2.6.2.
Пакеты
Наименование
diagram-js
npm
Затронутые версииВерсия исправления
< 2.6.2
2.6.2
Наименование
diagram-js
npm
Затронутые версииВерсия исправления
>= 3.0.0, < 3.3.1
3.3.1
Дефекты
CWE-79
Дефекты
CWE-79