NodeJS/mermaid/0.3.4
Markdown-ish syntax for generating flowcharts, mindmaps, sequence diagrams, class diagrams, gantt charts, git graphs and more.
Repo Link:
https://www.npmjs.com/package/mermaid
License:
MIT
3 Security Vulnerabilities
Published date: 2021-12-10T18:57:41Z
CVE: CVE-2021-35513
Mermaid before 8.11.0 allows XSS when the antiscript feature is used.
Affected versions:
["0.2.11", "0.2.12", "0.2.13", "0.2.14", "0.2.15", "0.2.16", "0.3.0", "0.3.2", "0.3.3", "0.3.4", "0.3.5", "0.4.0", "0.5.0", "0.5.1", "0.5.2", "0.5.3", "0.5.4", "0.5.5", "0.5.6", "0.5.7", "0.5.8", "6.0.0", "7.0.0", "7.0.1", "7.0.2", "7.0.3", "7.0.4", "7.0.5", "7.0.6", "7.0.7", "7.0.8", "7.0.9", "7.0.10", "7.0.11", "7.0.12", "7.0.13", "7.0.14", "7.0.15", "7.0.16", "7.0.17", "7.0.18", "7.1.0", "7.1.1", "7.1.2", "8.0.0-alpha.1", "8.0.0-alpha.2", "8.0.0-alpha.3", "8.0.0-alpha.4", "8.0.0-alpha.5", "8.0.0-alpha.6", "8.0.0-alpha.8", "8.0.0-alpha.9", "8.0.0-beta.1", "8.0.0-beta.2", "8.0.0-beta.3", "8.0.0-beta.4", "8.0.0-beta.5", "8.0.0-beta.6", "8.0.0-beta.7", "8.0.0-beta.8", "8.0.0-beta.9", "8.0.0-rc.1", "8.0.0-rc.2", "8.0.0-rc.3", "8.0.0-rc.4", "8.0.0-rc.5", "8.0.0-rc.6", "8.0.0-rc.7", "8.0.0-rc.8", "8.0.0", "8.1.0", "8.2.1", "8.2.2", "8.2.3", "8.2.4", "8.2.5", "8.2.6", "8.3.0", "8.3.1", "8.4.0", "8.4.1", "8.4.2", "8.4.3", "8.4.4", "8.4.5", "8.4.6", "8.4.7", "8.4.8", "8.5.0", "8.5.1", "8.5.2", "8.6.0", "8.6.1", "8.6.2", "8.6.3", "8.6.4", "8.7.0", "8.8.0", "8.8.1", "8.8.2", "8.8.3", "8.8.4", "8.9.0", "8.9.1", "8.9.2", "8.9.3", "8.10.1", "8.10.2"]
Secure versions:
[9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.2.0-rc1, 9.1.7, 9.2.0-rc2, 9.2.0-rc3, 9.2.0-rc4, 9.2.0-rc5, 9.2.0-rc6, 9.2.0-rc7, 9.2.0-rc8, 9.2.0-rc9, 9.2.0-rc10, 9.2.0, 9.2.1, 9.2.2-rc.2, 9.2.2, 9.2.3-rc.1, 9.3.0-rc.1, 9.3.0-rc.2, 9.3.0-rc.3, 9.3.0-rc.4, 9.3.0-rc.5, 9.3.0-rc.6, 9.3.0-rc.7, 9.3.0, 9.4.0-rc.1, 9.4.0-rc.2, 9.4.0, 9.4.2-rc.1, 10.0.0-rc.1, 10.0.0-rc.2, 10.0.0-rc.3, 10.0.0-rc.4, 10.0.0, 10.0.1-rc.1, 10.0.1-rc.2, 10.0.1-rc.3, 9.4.2-rc.2, 10.0.1-rc.4, 10.0.1-rc.5, 10.0.1, 10.0.2-rc.1, 10.0.2, 10.0.3-alpha.1, 9.4.2, 9.4.3, 10.1.0-rc.1, 10.1.0, 10.2.0-rc.1, 10.2.0-rc.2, 10.2.0-rc.3, 10.2.0-rc.4, 10.2.0, 10.2.1-rc.1, 10.2.1, 10.2.2, 10.2.3-rc.1, 10.2.3, 10.2.4-rc.1, 10.2.4, 10.3.0-rc.1, 10.3.0, 10.3.1, 11.0.0-alpha.1, 11.0.0-alpha.2, 11.0.0-alpha.3, 11.0.0-alpha.4, 10.4.0, 10.5.0-alpha.1, 10.5.0-rc.1, 10.5.0-rc.3, 10.5.0, 10.5.1, 10.6.0, 10.6.1, 11.0.0-alpha.5, 10.6.2-rc.1, 11.0.0-alpha.6, 10.6.2-rc.2, 10.6.2-rc.3, 10.7.0, 10.8.0, 10.9.0-rc.1, 10.9.0-rc.2, 10.9.0, 11.0.0-alpha.7, 10.9.1, 11.0.0, 11.0.1, 11.0.2, 11.1.0, 11.1.1, 11.2.0, 11.2.1]
Recommendation:
Update to version 11.2.1.
Published date: 2022-01-06T19:45:59Z
CVE: CVE-2021-43861
Impact
Malicious diagrams can contain javascript code that can be run at diagram readers machines.
Patches
The users should upgrade to version 8.13.8
Workarounds
You need to upgrade in order to avoid this issue.
Affected versions:
["0.2.11", "0.2.12", "0.2.13", "0.2.14", "0.2.15", "0.2.16", "0.3.0", "0.3.2", "0.3.3", "0.3.4", "0.3.5", "0.4.0", "0.5.0", "0.5.1", "0.5.2", "0.5.3", "0.5.4", "0.5.5", "0.5.6", "0.5.7", "0.5.8", "6.0.0", "7.0.0", "7.0.1", "7.0.2", "7.0.3", "7.0.4", "7.0.5", "7.0.6", "7.0.7", "7.0.8", "7.0.9", "7.0.10", "7.0.11", "7.0.12", "7.0.13", "7.0.14", "7.0.15", "7.0.16", "7.0.17", "7.0.18", "7.1.0", "7.1.1", "7.1.2", "8.0.0-alpha.1", "8.0.0-alpha.2", "8.0.0-alpha.3", "8.0.0-alpha.4", "8.0.0-alpha.5", "8.0.0-alpha.6", "8.0.0-alpha.8", "8.0.0-alpha.9", "8.0.0-beta.1", "8.0.0-beta.2", "8.0.0-beta.3", "8.0.0-beta.4", "8.0.0-beta.5", "8.0.0-beta.6", "8.0.0-beta.7", "8.0.0-beta.8", "8.0.0-beta.9", "8.0.0-rc.1", "8.0.0-rc.2", "8.0.0-rc.3", "8.0.0-rc.4", "8.0.0-rc.5", "8.0.0-rc.6", "8.0.0-rc.7", "8.0.0-rc.8", "8.0.0", "8.1.0", "8.2.1", "8.2.2", "8.2.3", "8.2.4", "8.2.5", "8.2.6", "8.3.0", "8.3.1", "8.4.0", "8.4.1", "8.4.2", "8.4.3", "8.4.4", "8.4.5", "8.4.6", "8.4.7", "8.4.8", "8.5.0", "8.5.1", "8.5.2", "8.6.0", "8.6.1", "8.6.2", "8.6.3", "8.6.4", "8.7.0", "8.8.0", "8.8.1", "8.8.2", "8.8.3", "8.8.4", "8.9.0", "8.9.1", "8.9.2", "8.9.3", "8.10.1", "8.10.2", "8.11.0", "8.11.1", "8.11.2", "8.11.3", "8.11.4", "8.11.5", "8.12.0", "8.12.1", "8.13.0", "8.13.1", "8.13.2", "8.13.3", "8.13.4", "8.13.5", "8.13.6", "8.13.7"]
Secure versions:
[9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.2.0-rc1, 9.1.7, 9.2.0-rc2, 9.2.0-rc3, 9.2.0-rc4, 9.2.0-rc5, 9.2.0-rc6, 9.2.0-rc7, 9.2.0-rc8, 9.2.0-rc9, 9.2.0-rc10, 9.2.0, 9.2.1, 9.2.2-rc.2, 9.2.2, 9.2.3-rc.1, 9.3.0-rc.1, 9.3.0-rc.2, 9.3.0-rc.3, 9.3.0-rc.4, 9.3.0-rc.5, 9.3.0-rc.6, 9.3.0-rc.7, 9.3.0, 9.4.0-rc.1, 9.4.0-rc.2, 9.4.0, 9.4.2-rc.1, 10.0.0-rc.1, 10.0.0-rc.2, 10.0.0-rc.3, 10.0.0-rc.4, 10.0.0, 10.0.1-rc.1, 10.0.1-rc.2, 10.0.1-rc.3, 9.4.2-rc.2, 10.0.1-rc.4, 10.0.1-rc.5, 10.0.1, 10.0.2-rc.1, 10.0.2, 10.0.3-alpha.1, 9.4.2, 9.4.3, 10.1.0-rc.1, 10.1.0, 10.2.0-rc.1, 10.2.0-rc.2, 10.2.0-rc.3, 10.2.0-rc.4, 10.2.0, 10.2.1-rc.1, 10.2.1, 10.2.2, 10.2.3-rc.1, 10.2.3, 10.2.4-rc.1, 10.2.4, 10.3.0-rc.1, 10.3.0, 10.3.1, 11.0.0-alpha.1, 11.0.0-alpha.2, 11.0.0-alpha.3, 11.0.0-alpha.4, 10.4.0, 10.5.0-alpha.1, 10.5.0-rc.1, 10.5.0-rc.3, 10.5.0, 10.5.1, 10.6.0, 10.6.1, 11.0.0-alpha.5, 10.6.2-rc.1, 11.0.0-alpha.6, 10.6.2-rc.2, 10.6.2-rc.3, 10.7.0, 10.8.0, 10.9.0-rc.1, 10.9.0-rc.2, 10.9.0, 11.0.0-alpha.7, 10.9.1, 11.0.0, 11.0.1, 11.0.2, 11.1.0, 11.1.1, 11.2.0, 11.2.1]
Recommendation:
Update to version 11.2.1.
Published date: 2020-09-02T15:41:41Z
Versions of mermaid
prior to 8.2.3 are vulnerable to Cross-Site Scripting. If malicious input such as A["<img src=invalid onerror=alert('XSS')></img>"]
is provided to the application, it will execute the code instead of rendering it as text due to improper output encoding.
Recommendation
Upgrade to version 8.2.3 or later
Affected versions:
["0.2.11", "0.2.12", "0.2.13", "0.2.14", "0.2.15", "0.2.16", "0.3.0", "0.3.2", "0.3.3", "0.3.4", "0.3.5", "0.4.0", "0.5.0", "0.5.1", "0.5.2", "0.5.3", "0.5.4", "0.5.5", "0.5.6", "0.5.7", "0.5.8", "6.0.0", "7.0.0", "7.0.1", "7.0.2", "7.0.3", "7.0.4", "7.0.5", "7.0.6", "7.0.7", "7.0.8", "7.0.9", "7.0.10", "7.0.11", "7.0.12", "7.0.13", "7.0.14", "7.0.15", "7.0.16", "7.0.17", "7.0.18", "7.1.0", "7.1.1", "7.1.2", "8.0.0-alpha.1", "8.0.0-alpha.2", "8.0.0-alpha.3", "8.0.0-alpha.4", "8.0.0-alpha.5", "8.0.0-alpha.6", "8.0.0-alpha.8", "8.0.0-alpha.9", "8.0.0-beta.1", "8.0.0-beta.2", "8.0.0-beta.3", "8.0.0-beta.4", "8.0.0-beta.5", "8.0.0-beta.6", "8.0.0-beta.7", "8.0.0-beta.8", "8.0.0-beta.9", "8.0.0-rc.1", "8.0.0-rc.2", "8.0.0-rc.3", "8.0.0-rc.4", "8.0.0-rc.5", "8.0.0-rc.6", "8.0.0-rc.7", "8.0.0-rc.8", "8.0.0", "8.1.0", "8.2.1", "8.2.2"]
Secure versions:
[9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.2.0-rc1, 9.1.7, 9.2.0-rc2, 9.2.0-rc3, 9.2.0-rc4, 9.2.0-rc5, 9.2.0-rc6, 9.2.0-rc7, 9.2.0-rc8, 9.2.0-rc9, 9.2.0-rc10, 9.2.0, 9.2.1, 9.2.2-rc.2, 9.2.2, 9.2.3-rc.1, 9.3.0-rc.1, 9.3.0-rc.2, 9.3.0-rc.3, 9.3.0-rc.4, 9.3.0-rc.5, 9.3.0-rc.6, 9.3.0-rc.7, 9.3.0, 9.4.0-rc.1, 9.4.0-rc.2, 9.4.0, 9.4.2-rc.1, 10.0.0-rc.1, 10.0.0-rc.2, 10.0.0-rc.3, 10.0.0-rc.4, 10.0.0, 10.0.1-rc.1, 10.0.1-rc.2, 10.0.1-rc.3, 9.4.2-rc.2, 10.0.1-rc.4, 10.0.1-rc.5, 10.0.1, 10.0.2-rc.1, 10.0.2, 10.0.3-alpha.1, 9.4.2, 9.4.3, 10.1.0-rc.1, 10.1.0, 10.2.0-rc.1, 10.2.0-rc.2, 10.2.0-rc.3, 10.2.0-rc.4, 10.2.0, 10.2.1-rc.1, 10.2.1, 10.2.2, 10.2.3-rc.1, 10.2.3, 10.2.4-rc.1, 10.2.4, 10.3.0-rc.1, 10.3.0, 10.3.1, 11.0.0-alpha.1, 11.0.0-alpha.2, 11.0.0-alpha.3, 11.0.0-alpha.4, 10.4.0, 10.5.0-alpha.1, 10.5.0-rc.1, 10.5.0-rc.3, 10.5.0, 10.5.1, 10.6.0, 10.6.1, 11.0.0-alpha.5, 10.6.2-rc.1, 11.0.0-alpha.6, 10.6.2-rc.2, 10.6.2-rc.3, 10.7.0, 10.8.0, 10.9.0-rc.1, 10.9.0-rc.2, 10.9.0, 11.0.0-alpha.7, 10.9.1, 11.0.0, 11.0.1, 11.0.2, 11.1.0, 11.1.1, 11.2.0, 11.2.1]
Recommendation:
Update to version 11.2.1.
231 Other Versions