CVE-2024-38527

Name of the Vulnerable Software and Affected Versions ZenUML versions prior to 3.23.25

Description The comment feature in ZenUML diagram syntax is susceptible to Cross-site Scripting (XSS) due to the lack of sanitization of markdown text before rendering. This allows an attacker to enter a malicious payload for the comment, leading to arbitrary JavaScript execution when rendering user-controlled diagrams. The vulnerability puts existing applications that use ZenUML unsandboxed at risk.

Recommendations For versions prior to 3.23.25, update to version 3.23.25 or later to resolve the issue. As a temporary workaround, consider disabling the comment feature or restricting the use of markdown features in comments to minimize the risk of exploitation. Avoid using unsanitized user input in comments until the issue is resolved.