CVE-2021-43861
MEDIUM WAF: High
CVSS 5.4
Published: 2021-12-30
CWE-20 CWE-79
Mermaid is a Javascript based diagramming and charting tool that uses Markdown-inspired text definitions and a renderer to create and modify complex diagrams. Prior to version 8.13.8, malicious diagrams can run javascript code at diagram readers' machines. Users should upgrade to version 8.13.8 to receive a patch. There are no known workarounds aside from upgrading.
WAF Coverage Analysis
Improper Input Validation
Medium WAF Coverage
OWASP: A03:2021 Injection
920xxx - Protocol Enforcement 941xxx - XSS / XXE 942xxx - SQL Injection
Cross-Site Scripting (XSS)
High WAF Coverage
OWASP: A03:2021 Injection
941xxx - XSS / XXE
Affected Software
| Vendor | Product | Version |
|---|---|---|
| mermaid_project | mermaid | up to 8.13.8 |
References
- github.com (Patch, Third Party Advisory)
- github.com (Release Notes, Third Party Advisory)
- github.com (Third Party Advisory)