NodeJS/mermaid/7.1.2

Markdown-ish syntax for generating flowcharts, sequence diagrams, class diagrams, gantt charts and git graphs.

Repo Link: https://www.npmjs.com/package/mermaid
License: MIT

3 Security Vulnerabilities

Cross-site Scripting in Mermaid

Published date: 2021-12-10T18:57:41Z

CVE: CVE-2021-35513

Links:

Mermaid before 8.11.0 allows XSS when the antiscript feature is used.

Affected versions: ["0.2.11", "0.2.12", "0.2.13", "0.2.14", "0.2.15", "0.2.16", "0.3.0", "0.3.2", "0.3.3", "0.3.4", "0.3.5", "0.4.0", "0.5.0", "0.5.1", "0.5.2", "0.5.3", "0.5.4", "0.5.5", "0.5.6", "0.5.7", "0.5.8", "6.0.0", "7.0.0", "7.0.1", "7.0.2", "7.0.3", "7.0.4", "7.0.5", "7.0.6", "7.0.7", "7.0.8", "7.0.9", "7.0.10", "7.0.11", "7.0.12", "7.0.13", "7.0.14", "7.0.15", "7.0.16", "7.0.17", "7.0.18", "7.1.0", "7.1.1", "7.1.2", "8.0.0-alpha.1", "8.0.0-alpha.2", "8.0.0-alpha.3", "8.0.0-alpha.4", "8.0.0-alpha.5", "8.0.0-alpha.6", "8.0.0-alpha.8", "8.0.0-alpha.9", "8.0.0-beta.1", "8.0.0-beta.2", "8.0.0-beta.3", "8.0.0-beta.4", "8.0.0-beta.5", "8.0.0-beta.6", "8.0.0-beta.7", "8.0.0-beta.8", "8.0.0-beta.9", "8.0.0-rc.1", "8.0.0-rc.2", "8.0.0-rc.3", "8.0.0-rc.4", "8.0.0-rc.5", "8.0.0-rc.6", "8.0.0-rc.7", "8.0.0-rc.8", "8.0.0", "8.1.0", "8.2.1", "8.2.2", "8.2.3", "8.2.4", "8.2.5", "8.2.6", "8.3.0", "8.3.1", "8.4.0", "8.4.1", "8.4.2", "8.4.3", "8.4.4", "8.4.5", "8.4.6", "8.4.7", "8.4.8", "8.5.0", "8.5.1", "8.5.2", "8.6.0", "8.6.1", "8.6.2", "8.6.3", "8.6.4", "8.7.0", "8.8.0", "8.8.1", "8.8.2", "8.8.3", "8.8.4", "8.9.0", "8.9.1", "8.9.2", "8.9.3", "8.10.1", "8.10.2"]

Secure versions: [9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.2.0-rc1, 9.1.7, 9.2.0-rc2, 9.2.0-rc3, 9.2.0-rc4, 9.2.0-rc5, 9.2.0-rc6, 9.2.0-rc7, 9.2.0-rc8, 9.2.0-rc9, 9.2.0-rc10, 9.2.0, 9.2.1, 9.2.2-rc.2, 9.2.2, 9.2.3-rc.1, 9.3.0-rc.1, 9.3.0-rc.2, 9.3.0-rc.3, 9.3.0-rc.4, 9.3.0-rc.5, 9.3.0-rc.6, 9.3.0-rc.7, 9.3.0, 9.4.0-rc.1, 9.4.0-rc.2, 9.4.0, 9.4.2-rc.1, 10.0.0-rc.1, 10.0.0-rc.2, 10.0.0-rc.3, 10.0.0-rc.4, 10.0.0, 10.0.1-rc.1, 10.0.1-rc.2, 10.0.1-rc.3, 9.4.2-rc.2, 10.0.1-rc.4, 10.0.1-rc.5, 10.0.1, 10.0.2-rc.1, 10.0.2, 10.0.3-alpha.1, 9.4.2, 9.4.3, 10.1.0-rc.1, 10.1.0, 10.2.0-rc.1, 10.2.0-rc.2, 10.2.0-rc.3, 10.2.0-rc.4, 10.2.0, 10.2.1-rc.1, 10.2.1, 10.2.2, 10.2.3-rc.1, 10.2.3, 10.2.4-rc.1, 10.2.4, 10.3.0-rc.1, 10.3.0, 10.3.1, 11.0.0-alpha.1, 11.0.0-alpha.2, 11.0.0-alpha.3, 11.0.0-alpha.4, 10.4.0, 10.5.0-alpha.1, 10.5.0-rc.1, 10.5.0-rc.3, 10.5.0, 10.5.1, 10.6.0, 10.6.1, 11.0.0-alpha.5, 10.6.2-rc.1, 11.0.0-alpha.6, 10.6.2-rc.2, 10.6.2-rc.3, 10.7.0, 10.8.0, 10.9.0-rc.1, 10.9.0-rc.2, 10.9.0, 11.0.0-alpha.7]

Recommendation: Update to version 10.9.0.

Incorrect sanitisation function leads to `XSS` in mermaid

Published date: 2022-01-06T19:45:59Z

CVE: CVE-2021-43861

Links:

Impact

Malicious diagrams can contain javascript code that can be run at diagram readers machines.

Patches

The users should upgrade to version 8.13.8

Workarounds

You need to upgrade in order to avoid this issue.

Recommendation: Update to version 10.9.0.

Cross-Site Scripting in mermaid

Published date: 2020-09-02T15:41:41Z

Links:

Versions of mermaid prior to 8.2.3 are vulnerable to Cross-Site Scripting. If malicious input such as A["<img src=invalid onerror=alert('XSS')></img>"] is provided to the application, it will execute the code instead of rendering it as text due to improper output encoding.

Recommendation

Upgrade to version 8.2.3 or later

Recommendation: Update to version 10.9.0.

223 Other Versions

Version	License	Security	Released
7.0.0	MIT	3	2017-01-29 - 11:15	over 7 years
6.0.0	MIT	3	2016-05-29 - 17:27	almost 8 years
0.5.8	MIT	3	2016-01-27 - 14:06	over 8 years
0.5.7	MIT	3	2016-01-25 - 18:12	over 8 years
0.5.6	MIT	3	2015-11-22 - 18:09	over 8 years
0.5.5	MIT	3	2015-10-21 - 19:15	over 8 years
0.5.4	MIT	3	2015-10-19 - 20:09	over 8 years
0.5.3	MIT	3	2015-10-04 - 21:29	over 8 years
0.5.2	MIT	3	2015-10-04 - 21:09	over 8 years
0.5.1	MIT	3	2015-06-21 - 15:27	almost 9 years
0.5.0	MIT	3	2015-06-07 - 15:06	almost 9 years
0.4.0	MIT	3	2015-03-01 - 15:52	about 9 years
0.3.5	MIT	3	2015-02-15 - 18:38	about 9 years
0.3.4	MIT	3	2015-02-15 - 17:16	about 9 years
0.3.3	MIT	3	2015-01-25 - 15:46	over 9 years
0.3.2	MIT	3	2015-01-11 - 14:13	over 9 years
0.3.0	MIT	3	2014-12-22 - 12:55	over 9 years
0.2.16	MIT	3	2014-12-15 - 18:44	over 9 years
0.2.15	BSD-2-Clause	3	2014-12-05 - 09:56	over 9 years
0.2.14	BSD-2-Clause	3	2014-12-03 - 18:36	over 9 years
0.2.13	BSD-2-Clause	3	2014-12-03 - 18:29	over 9 years
0.2.12	BSD-2-Clause	3	2014-12-02 - 18:03	over 9 years
0.2.11	BSD-2-Clause	3	2014-12-02 - 17:39	over 9 years