CVE-2024-38527

See a problem?
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-38527
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-38527.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-38527
Aliases
Published
2024-06-26T20:15:16Z
Modified
2024-06-28T01:53:03.887026Z
Summary
[none]
Details

ZenUML is JavaScript-based diagramming tool that requires no server, using Markdown-inspired text definitions and a renderer to create and modify sequence diagrams. Markdown-based comments in the ZenUML diagram syntax are susceptible to Cross-site Scripting (XSS). The comment feature allows the user to attach small notes for reference. This feature allows the user to enter in their comment in markdown comment, allowing them to use common markdown features, such as ** for bolded text. However, the markdown text is currently not sanitized before rendering, allowing an attacker to enter a malicious payload for the comment which leads to XSS. This puts existing applications that use ZenUML unsandboxed at risk of arbitrary JavaScript execution when rendering user-controlled diagrams. This vulnerability was patched in version 3.23.25,

References

Affected packages

Git / github.com/mermaid-js/zenuml-core

Affected ranges

Type
GIT
Repo
https://github.com/mermaid-js/zenuml-core
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Affected versions

Other

release-159-cb9a6
release-20200616
release-20200616-2
release-tag-test001
tag-commit-147cb9a6
tag-commit-16-cb9a6
tag-commit-229-cb9a6
tag-commit-377-efcd6
tag-commit-555-7da3f
tag-commit-784-cb9a6
tag-commit-82cb9a6
tag-commit-897-cb9a6
tag-commit-cb9a6
tag-commit-efcd6

v0.*

v0.9.10

v1.*

v1.0.1
v1.0.10
v1.0.100
v1.0.101
v1.0.102
v1.0.103
v1.0.104
v1.0.105
v1.0.106
v1.0.107
v1.0.108
v1.0.109
v1.0.11
v1.0.110
v1.0.111
v1.0.112
v1.0.113
v1.0.114
v1.0.115
v1.0.116
v1.0.117
v1.0.118
v1.0.119
v1.0.12
v1.0.120
v1.0.121
v1.0.122
v1.0.123
v1.0.124
v1.0.125
v1.0.126
v1.0.127
v1.0.128
v1.0.129
v1.0.13
v1.0.130
v1.0.131
v1.0.132
v1.0.133
v1.0.134
v1.0.135
v1.0.136
v1.0.137
v1.0.138
v1.0.139
v1.0.14
v1.0.140
v1.0.141
v1.0.142
v1.0.143
v1.0.144
v1.0.145
v1.0.146
v1.0.147
v1.0.148
v1.0.149
v1.0.15
v1.0.150
v1.0.151
v1.0.152
v1.0.157
v1.0.158
v1.0.159
v1.0.16
v1.0.160
v1.0.161
v1.0.162
v1.0.163
v1.0.164
v1.0.165
v1.0.166
v1.0.167
v1.0.168
v1.0.169
v1.0.17
v1.0.170
v1.0.171
v1.0.172
v1.0.173
v1.0.174
v1.0.175
v1.0.176
v1.0.177
v1.0.178
v1.0.179
v1.0.18
v1.0.180
v1.0.182
v1.0.184
v1.0.185
v1.0.186
v1.0.187
v1.0.188
v1.0.189
v1.0.19
v1.0.190
v1.0.191
v1.0.192
v1.0.193
v1.0.194
v1.0.195
v1.0.196
v1.0.197
v1.0.198
v1.0.199
v1.0.2
v1.0.20
v1.0.200
v1.0.201
v1.0.202
v1.0.203
v1.0.204
v1.0.205
v1.0.206
v1.0.207
v1.0.208
v1.0.209
v1.0.21
v1.0.210
v1.0.211
v1.0.212
v1.0.213
v1.0.214
v1.0.215
v1.0.216
v1.0.217
v1.0.218
v1.0.219
v1.0.22
v1.0.220
v1.0.221
v1.0.222
v1.0.223
v1.0.224
v1.0.225
v1.0.226
v1.0.227
v1.0.228
v1.0.229
v1.0.23
v1.0.230
v1.0.231
v1.0.233
v1.0.234
v1.0.235
v1.0.236
v1.0.237
v1.0.238
v1.0.239
v1.0.24
v1.0.240
v1.0.241
v1.0.242
v1.0.243
v1.0.244
v1.0.245
v1.0.246
v1.0.247
v1.0.248
v1.0.25
v1.0.250
v1.0.253
v1.0.258
v1.0.259
v1.0.26
v1.0.260
v1.0.261
v1.0.262
v1.0.263
v1.0.264
v1.0.265
v1.0.266
v1.0.267
v1.0.268
v1.0.269
v1.0.27
v1.0.270
v1.0.271
v1.0.272
v1.0.273
v1.0.274
v1.0.28
v1.0.29
v1.0.3
v1.0.30
v1.0.31
v1.0.32
v1.0.33
v1.0.34
v1.0.36
v1.0.37
v1.0.38
v1.0.39
v1.0.4
v1.0.40
v1.0.41
v1.0.42
v1.0.43
v1.0.44
v1.0.45
v1.0.46
v1.0.47
v1.0.48
v1.0.49
v1.0.5
v1.0.50
v1.0.51
v1.0.52
v1.0.53
v1.0.54
v1.0.55
v1.0.56
v1.0.57
v1.0.58
v1.0.59
v1.0.6
v1.0.60
v1.0.61
v1.0.62
v1.0.63
v1.0.64
v1.0.65
v1.0.66
v1.0.67
v1.0.68
v1.0.69
v1.0.7
v1.0.70
v1.0.71
v1.0.72
v1.0.73
v1.0.74
v1.0.75
v1.0.76
v1.0.77
v1.0.78
v1.0.79
v1.0.8
v1.0.80
v1.0.81
v1.0.82
v1.0.83
v1.0.84
v1.0.85
v1.0.86
v1.0.87
v1.0.88
v1.0.89
v1.0.9
v1.0.90
v1.0.91
v1.0.92
v1.0.93
v1.0.94
v1.0.95
v1.0.96
v1.0.97
v1.0.98
v1.0.99

v2.*

v2.0.1
v2.0.10
v2.0.11
v2.0.12
v2.0.13
v2.0.14
v2.0.15
v2.0.16
v2.0.17
v2.0.19
v2.0.2
v2.0.20
v2.0.21
v2.0.22
v2.0.23
v2.0.24
v2.0.25
v2.0.26
v2.0.27
v2.0.28
v2.0.29
v2.0.3
v2.0.30
v2.0.31
v2.0.32
v2.0.33
v2.0.34
v2.0.35
v2.0.36
v2.0.37
v2.0.38
v2.0.4
v2.0.5
v2.0.6
v2.0.7
v2.0.8
v2.0.9

v3.*

v3.0.1
v3.0.2
v3.0.3
v3.0.4
v3.0.5
v3.0.6
v3.0.7
v3.0.8
v3.1.0
v3.10.0
v3.10.1
v3.10.2
v3.11.0
v3.12.0
v3.12.1
v3.13.0
v3.13.1
v3.13.2
v3.13.3
v3.13.4
v3.14.0
v3.14.1
v3.14.2
v3.14.3
v3.14.4
v3.14.5
v3.14.6
v3.15.0
v3.15.1
v3.15.2
v3.15.3
v3.15.4
v3.15.5
v3.15.6
v3.15.7
v3.16.0
v3.16.1
v3.16.2
v3.17.0
v3.17.1
v3.17.2
v3.17.3
v3.17.4
v3.18.0
v3.19.0
v3.19.1
v3.19.2
v3.19.3
v3.2.0
v3.20.0
v3.20.1
v3.21.0
v3.21.1
v3.21.2
v3.22.0
v3.22.1
v3.23.0
v3.23.1
v3.23.10
v3.23.11
v3.23.12
v3.23.13
v3.23.14
v3.23.15
v3.23.16
v3.23.17
v3.23.18
v3.23.19
v3.23.2
v3.23.20
v3.23.21
v3.23.22
v3.23.23
v3.23.24
v3.23.3
v3.23.4
v3.23.5
v3.23.6
v3.23.7
v3.23.8
v3.23.9
v3.3.0
v3.4.0
v3.4.1
v3.5.0
v3.6.0
v3.6.1
v3.6.2
v3.7.0
v3.7.1
v3.8.0
v3.8.1
v3.8.2
v3.8.3
v3.8.4
v3.8.5
v3.9.0