Source: node-mermaid X-Debbugs-CC: [email protected] Severity: important Tags: security
Hi, The following vulnerability was published for node-mermaid. CVE-2022-31108[0]: | Mermaid is a JavaScript based diagramming and charting tool that uses | Markdown-inspired text definitions and a renderer to create and modify | complex diagrams. An attacker is able to inject arbitrary `CSS` into | the generated graph allowing them to change the styling of elements | outside of the generated graph, and potentially exfiltrate sensitive | information by using specially crafted `CSS` selectors. The following | example shows how an attacker can exfiltrate the contents of an input | field by bruteforcing the `value` attribute one character at a time. | Whenever there is an actual match, an `http` request will be made by | the browser in order to "load" a background image that will let an | attacker know what's the value of the character. This issue may lead | to `Information Disclosure` via CSS selectors and functions able to | generate HTTP requests. This also allows an attacker to change the | document in ways which may lead a user to perform unintended actions, | such as clicking on a link, etc. This issue has been resolved in | version 9.1.3. Users are advised to upgrade. Users unable to upgrade | should ensure that user input is adequately escaped before embedding | it in CSS blocks. https://github.com/mermaid-js/mermaid/security/advisories/GHSA-x3vm-38hw-55wf https://github.com/mermaid-js/mermaid/commit/0ae1bdb61adff1cd485caff8c62ec6b8ac57b225 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-31108 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31108 Please adjust the affected versions in the BTS as needed. -- Pkg-javascript-devel mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
