Blog

News from the bpmn.io project

Updated Properties Panels Fix HTML Injection Vulnerabilities

Published by Nico Rehwaldt on Monday, 08 July 2019.

bpmn-js-properties-panel0.31.0 cmmn-js-properties-panel0.8.0 dmn-js-properties-panel0.3.0

New releases of our properties panels for BPMN, CMMN and DMN address several HTML injection / cross-site scripting vulnerabilities. We recommend users to upgrade.

Missing input saniation leads to several HTML injection / cross-site scripting vulnerabilities in our BPMN, CMMN and DMN properties panel libraries.

These issues affect all users that embed the properties panels along with the diagram editors. They allow an attacher to execute arbitary JavaScript in the context of the embedding website if properties for specially configured diagram elements are being viewed.

Patched Versions

The following library releases fix the issues:

  • bpmn-js-properties-panel@0.31.0
  • cmmn-js-properties-panel@0.8.0
  • dmn-js-properties-panel@0.3.0

We're hiring! Are you passionate about JavaScript, modeling and the web? Join our team and build modeling tools people heart.