Miggo Logo

CVE-2021-35513: Cross-site Scripting in Mermaid

6.1

CVSS Score
3.1

Basic Information

EPSS Score
0.53429%
Published
12/10/2021
Updated
2/1/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
mermaidnpm< 8.11.08.11.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from insufficient input sanitization in the antiscript security feature. The commit 3d22fa5 shows the vulnerable version lacked: 1) replacement of 'javascript:' with '#', and 2) removal of <iframe> tags. The test case in xss5.html demonstrates XSS via a crafted 'javascript:' URL with encoded characters. The removeScript function was directly patched to add these sanitization steps, confirming it was the vulnerable component.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

M*rm*i* ***or* *.**.* *llows XSS w**n t** *ntis*ript ***tur* is us**.

Reasoning

T** vuln*r**ility st*ms *rom insu**i*i*nt input s*nitiz*tion in t** *ntis*ript s**urity ***tur*. T** *ommit ******* s*ows t** vuln*r**l* v*rsion l**k**: *) r*pl***m*nt o* 'j*v*s*ript:' wit* '#', *n* *) r*mov*l o* <i*r*m*> t**s. T** t*st **s* in `xss*