Cross-Site Scripting in diagram-js-direct-editing
Moderate severity
GitHub Reviewed
Published
Sep 11, 2020
to the GitHub Advisory Database
•
Updated Jan 9, 2023
Description
Reviewed
Aug 31, 2020
Published to the GitHub Advisory Database
Sep 11, 2020
Last updated
Jan 9, 2023
Versions of
diagram-js-direct-editing
prior to 1.4.3 are vulnerable to Cross-Site Scripting. The package fails to sanitize input from the clipboard, allowing attackers to execute arbitrary JavaScript in the victim's browser.Recommendation
Upgrade to version 1.4.3 or later.
References