Incorrect sanitisation function leads to `XSS`
CVE-2021-43861

7.2HIGH

Key Information:

Vendor

Mermaid-js

Status
Mermaid
Vendor
CVE Published:
30 December 2021

What is CVE-2021-43861?

Mermaid is a Javascript based diagramming and charting tool that uses Markdown-inspired text definitions and a renderer to create and modify complex diagrams. Prior to version 8.13.8, malicious diagrams can run javascript code at diagram readers' machines. Users should upgrade to version 8.13.8 to receive a patch. There are no known workarounds aside from upgrading.

Affected Version(s)

mermaid < 8.13.8

References

https://github.com/mermaid-js/mermaid/security/advisories...
x_refsource_CONFIRM
https://github.com/mermaid-js/mermaid/commit/066b7a0d0bda...
x_refsource_MISC
https://github.com/mermaid-js/mermaid/releases/tag/8.13.8
x_refsource_MISC

CVSS V3.1

Score:
7.2
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.