Advisories for Npm/Mxgraph package

mxGraph v4.2.2 was discovered to contain a cross-site scripting (XSS) vulnerability via the setTooltips() function.

An issue was discovered in mxGraph related to the draw.io Diagrams plugin for Confluence and other products. Improper input validation/sanitization of a color field leads to XSS. This is associated with javascript/examples/grapheditor/www/js/Dialogs.js.

In mxGraphViewImageReader, the SAXParserFactory instance in convert() is missing flags to prevent XML External Entity (XXE) attacks