Register | Log in

node-mermaid

Choose email to subscribe with

general

source: node-mermaid (main)
version: 8.7.0+ds+~cs27.17.17-3+deb11u2
maintainer: Debian Javascript Maintainers (archive) (DMD)
uploaders: Nilesh Patra [DMD]
arch: all
std-ver: 4.5.0
VCS: Git (Browse)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

oldstable: 8.7.0+ds+~cs27.17.17-3+deb11u2

versioned links

8.7.0+ds+~cs27.17.17-3+deb11u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

node-mermaid

package is gone

This package is not in any development repository. This probably means that the package has been removed (or has been renamed). Thus the information here is of little interest ... the package is going to disappear unless someone takes it over and reintroduces it.

action needed

2 security issues in sid high

There are 2 open security issues in sid.

2 important issues:

CVE-2022-31108: Mermaid is a JavaScript based diagramming and charting tool that uses Markdown-inspired text definitions and a renderer to create and modify complex diagrams. An attacker is able to inject arbitrary `CSS` into the generated graph allowing them to change the styling of elements outside of the generated graph, and potentially exfiltrate sensitive information by using specially crafted `CSS` selectors. The following example shows how an attacker can exfiltrate the contents of an input field by bruteforcing the `value` attribute one character at a time. Whenever there is an actual match, an `http` request will be made by the browser in order to "load" a background image that will let an attacker know what's the value of the character. This issue may lead to `Information Disclosure` via CSS selectors and functions able to generate HTTP requests. This also allows an attacker to change the document in ways which may lead a user to perform unintended actions, such as clicking on a link, etc. This issue has been resolved in version 9.1.3. Users are advised to upgrade. Users unable to upgrade should ensure that user input is adequately escaped before embedding it in CSS blocks.
CVE-2022-48345: sanitize-url (aka @braintree/sanitize-url) before 6.0.2 allows XSS via HTML entities.

Created: 2022-07-04 Last update: 2024-08-15 08:30

2 security issues in trixie high

There are 2 open security issues in trixie.

2 important issues:

CVE-2022-31108: Mermaid is a JavaScript based diagramming and charting tool that uses Markdown-inspired text definitions and a renderer to create and modify complex diagrams. An attacker is able to inject arbitrary `CSS` into the generated graph allowing them to change the styling of elements outside of the generated graph, and potentially exfiltrate sensitive information by using specially crafted `CSS` selectors. The following example shows how an attacker can exfiltrate the contents of an input field by bruteforcing the `value` attribute one character at a time. Whenever there is an actual match, an `http` request will be made by the browser in order to "load" a background image that will let an attacker know what's the value of the character. This issue may lead to `Information Disclosure` via CSS selectors and functions able to generate HTTP requests. This also allows an attacker to change the document in ways which may lead a user to perform unintended actions, such as clicking on a link, etc. This issue has been resolved in version 9.1.3. Users are advised to upgrade. Users unable to upgrade should ensure that user input is adequately escaped before embedding it in CSS blocks.
CVE-2022-48345: sanitize-url (aka @braintree/sanitize-url) before 6.0.2 allows XSS via HTML entities.

Created: 2023-10-22 Last update: 2023-10-22 12:54

1 security issue in bookworm high

There is 1 open security issue in bookworm.

1 important issue:

CVE-2022-31108: Mermaid is a JavaScript based diagramming and charting tool that uses Markdown-inspired text definitions and a renderer to create and modify complex diagrams. An attacker is able to inject arbitrary `CSS` into the generated graph allowing them to change the styling of elements outside of the generated graph, and potentially exfiltrate sensitive information by using specially crafted `CSS` selectors. The following example shows how an attacker can exfiltrate the contents of an input field by bruteforcing the `value` attribute one character at a time. Whenever there is an actual match, an `http` request will be made by the browser in order to "load" a background image that will let an attacker know what's the value of the character. This issue may lead to `Information Disclosure` via CSS selectors and functions able to generate HTTP requests. This also allows an attacker to change the document in ways which may lead a user to perform unintended actions, such as clicking on a link, etc. This issue has been resolved in version 9.1.3. Users are advised to upgrade. Users unable to upgrade should ensure that user input is adequately escaped before embedding it in CSS blocks.

Created: 2022-07-04 Last update: 2022-07-09 12:05

news

[2024-11-04] Removed 8.14.0+~cs11.4.14-1 from unstable (Debian FTP Masters)
[2022-07-15] node-mermaid REMOVED from testing (Debian testing watch)
[2022-07-15] node-mermaid REMOVED from testing (Debian testing watch)
[2022-07-02] Accepted node-mermaid 8.7.0+ds+~cs27.17.17-3+deb11u2 (source) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Xavier Guimard)
[2022-05-29] Accepted node-mermaid 8.7.0+ds+~cs27.17.17-3+deb11u1 (source) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Xavier Guimard)
[2022-03-23] node-mermaid 8.14.0+~cs11.4.14-1 MIGRATED to testing (Debian testing watch)
[2022-03-21] Accepted node-mermaid 8.14.0+~cs11.4.14-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2022-01-11] node-mermaid 8.13.8+~cs10.4.16-1 MIGRATED to testing (Debian testing watch)
[2022-01-09] Accepted node-mermaid 8.13.8+~cs10.4.16-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2021-12-05] node-mermaid 8.13.3+ds+~cs26.13.21-2 MIGRATED to testing (Debian testing watch)
[2021-12-02] Accepted node-mermaid 8.13.3+ds+~cs26.13.21-2 (source) into unstable (Jonas Smedegaard)
[2021-10-18] node-mermaid 8.13.3+ds+~cs26.13.21-1 MIGRATED to testing (Debian testing watch)
[2021-10-15] Accepted node-mermaid 8.13.3+ds+~cs26.13.21-1 (source) into unstable (Nilesh Patra)
[2021-10-15] Accepted node-mermaid 8.13.2+ds+~cs30.13.21-1.1 (source) into unstable (Andrej Shadura) (signed by: Andrew Shadura)
[2021-10-13] node-mermaid 8.13.2+ds+~cs30.13.21-1 MIGRATED to testing (Debian testing watch)
[2021-10-11] Accepted node-mermaid 8.13.2+ds+~cs30.13.21-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2021-07-05] node-mermaid 8.7.0+ds+~cs27.17.17-3 MIGRATED to testing (Debian testing watch)
[2021-06-29] Accepted node-mermaid 8.11.0+ds+~cs29.13.22-1 (source) into experimental (Yadd) (signed by: Xavier Guimard)
[2021-06-29] Accepted node-mermaid 8.7.0+ds+~cs27.17.17-3 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2021-04-28] Accepted node-mermaid 8.9.3+ds+~cs29.13.19-1 (source) into experimental (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2021-03-11] Accepted node-mermaid 8.9.1+ds+~cs26.20.25-1 (source) into experimental (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2020-12-14] Accepted node-mermaid 8.7.0+ds+~cs27.17.17-2~bpo10+1 (source all) into buster-backports, buster-backports (Debian FTP Masters) (signed by: Praveen Arimbrathodiyil)
[2020-10-21] node-mermaid 8.7.0+ds+~cs27.17.17-2 MIGRATED to testing (Debian testing watch)
[2020-10-19] Accepted node-mermaid 8.7.0+ds+~cs27.17.17-2 (source) into unstable (Nilesh Patra)
[2020-10-18] Accepted node-mermaid 8.7.0+ds+~cs27.17.17-1 (source all) into unstable, unstable (Debian FTP Masters) (signed by: Xavier Guimard)

bugs [bug history graph]

all: 0

links

homepage
buildd: logs
popcon
browse source code
edit tags
other distros
security tracker
screenshots
debci

Debian Package Tracker — Copyright 2013-2025 The Distro Tracker Developers

Report problems to the tracker.debian.org pseudo-package in the Debian BTS.

Documentation — Bugs — Git Repository — Contributing