GMS-2020-227: Cross-Site Scripting in diagram-js-direct-editing

September 11, 2020 (updated September 28, 2021)

Versions of diagram-js-direct-editing are vulnerable to Cross-Site Scripting. The package fails to sanitize input from the clipboard, allowing attackers to execute arbitrary JavaScript in the victim’s browser. Upgrade to or later.

References

github.com/advisories/GHSA-j8r2-2x94-2q67
github.com/bpmn-io/diagram-js-direct-editing
www.npmjs.com/advisories/983

Detect and mitigate GMS-2020-227 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →