Patched versions of our BPMN, CMMN and DMN editors address two HTML injection / cross-site scripting vulnerabilities. We recommend users to upgrade.
Two issues in lower level components of our toolkits have been reported by the community:
- search does not properly escape user input (diagram-js#362)
- direct editing allows pasting of HTML (diagram-js-direct-editing#14)
The following library releases fix the issues:
Thanks to naoey for reporting the initial bug.