GHSA-p3rp-vmj9-gv6v
Suggest an improvement- Source
- https://github.com/advisories/GHSA-p3rp-vmj9-gv6v
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-p3rp-vmj9-gv6v/GHSA-p3rp-vmj9-gv6v.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-p3rp-vmj9-gv6v
- Aliases
- Related
- Published
- 2022-01-06T19:45:59Z
- Modified
- 2023-11-08T04:07:14.898534Z
- Severity
-
- 7.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- Incorrect sanitisation function leads to `XSS` in mermaid
- Details
-
Impact
Malicious diagrams can contain javascript code that can be run at diagram readers machines.
Patches
The users should upgrade to version 8.13.8
Workarounds
You need to upgrade in order to avoid this issue.
- Database specific
{ "nvd_published_at": "2021-12-30T14:15:00Z", "github_reviewed_at": "2022-01-06T19:02:22Z", "severity": "HIGH", "github_reviewed": true, "cwe_ids": [ "CWE-20", "CWE-79" ] }- References
-
- https://github.com/mermaid-js/mermaid/security/advisories/GHSA-p3rp-vmj9-gv6v
- https://nvd.nist.gov/vuln/detail/CVE-2021-43861
- https://github.com/mermaid-js/mermaid/commit/066b7a0d0bda274d94a2f2d21e4323dab5776d83
- https://github.com/mermaid-js/mermaid
- https://github.com/mermaid-js/mermaid/releases/tag/8.13.8
Affected packages
npm / mermaid
Package
- Name
- mermaid
- View open source insights on deps.dev
- Purl
- pkg:npm/mermaid