New releases of our properties panels for BPMN, CMMN and DMN address several HTML injection / cross-site scripting vulnerabilities. We recommend users to upgrade.
Missing input saniation leads to several HTML injection / cross-site scripting vulnerabilities in our BPMN, CMMN and DMN properties panel libraries.
These issues affect all users that embed the properties panels along with the diagram editors. They allow an attacher to execute arbitary JavaScript in the context of the embedding website if properties for specially configured diagram elements are being viewed.
Patched Versions
The following library releases fix the issues:
bpmn-js-properties-panel@0.31.0cmmn-js-properties-panel@0.8.0dmn-js-properties-panel@0.3.0
Are you passionate about JavaScript, modeling, and the web?
Join Camunda and build modeling tools people 
.