Knsv

**Name of the Vulnerable Software and Affected Versions** Mermaid versions prior to 9.1.3 **Description** Mermaid is a JavaScript-based diagramming and charting tool that uses Markdown-inspired text definitions and a renderer to create and modify complex diagrams. An attacker can inject arbitrary `CSS` into the generated graph, allowing them to change the styling of elements outside of the generated graph and potentially exfiltrate sensitive information by using specially crafted `CSS` selectors. This issue may lead to `Information Disclosure` via CSS selectors and functions able to generate HTTP requests, and also allows an attacker to change the document in ways that may lead a user to perform unintended actions. **Recommendations** For versions prior to 9.1.3, ensure that user input is adequately escaped before embedding it in CSS blocks. As a temporary workaround, consider restricting the use of user-inputted `CSS` until a patch is available. Users are advised to upgrade to version 9.1.3 or later to resolve the issue. If upgrading is not possible, users should ensure that all user input is properly sanitized to prevent arbitrary `CSS` injection.

Name of the Vulnerable Software and Affected Versions: Mermaid versions prior to 8.13.8 Description: Mermaid is a Javascript based diagramming and charting tool that uses Markdown-inspired text definitions and a renderer to create and modify complex diagrams. Malicious diagrams can run javascript code at diagram readers' machines. Recommendations: For versions prior to 8.13.8, upgrade to version 8.13.8 to receive a patch. At the moment, there is no other information about additional mitigation measures aside from upgrading to the patched version.

**Name of the Vulnerable Software and Affected Versions** Mermaid versions prior to 8.11.0 **Description** The issue is related to the antiscript feature in Mermaid, which allows for cross-site scripting (XSS) attacks. This can potentially impact the integrity of data. The vulnerability can be exploited by a remote attacker. **Recommendations** For versions prior to 8.11.0, update to version 8.11.0 or later to resolve the issue. As a temporary workaround, consider disabling the antiscript feature until a patch is available.