GHSA-vmh4-322v-cfpc

Source

https://github.com/advisories/GHSA-vmh4-322v-cfpc

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-vmh4-322v-cfpc/GHSA-vmh4-322v-cfpc.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-vmh4-322v-cfpc

Published

2020-09-03T18:18:06Z

Modified

2020-08-31T18:46:35Z

Summary

Cross-Site Scripting in cmmn-js-properties-panel

Details

Versions of cmmn-js-properties-panel prior to 0.8.0 are vulnerable to Cross-Site Scripting (XSS). The package fails to sanitize input in specially configured diagrams, which may allow attackers to inject arbitrary JavaScript in the embedding website.

Recommendation

Upgrade to version 0.8.0 or later.

Database specific

{
    "github_reviewed": true,
    "github_reviewed_at": "2020-08-31T18:46:35Z",
    "nvd_published_at": null,
    "severity": "HIGH",
    "cwe_ids": [
        "CWE-79"
    ]
}

References

https://www.npmjs.com/advisories/1080

Affected packages

npm / cmmn-js-properties-panel

Package

Name: cmmn-js-properties-panel; View open source insights on deps.dev
Purl: pkg:npm/cmmn-js-properties-panel

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.8.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-vmh4-322v-cfpc/GHSA-vmh4-322v-cfpc.json"