News from the project

Updated Properties Panels Fix HTML Injection Vulnerabilities

Published by Nico Rehwaldt on Monday, 08 July 2019.

bpmn-js-properties-panel0.31.0 cmmn-js-properties-panel0.8.0 dmn-js-properties-panel0.3.0

New releases of our properties panels for BPMN, CMMN and DMN address several HTML injection / cross-site scripting vulnerabilities. We recommend users to upgrade.

Missing input saniation leads to several HTML injection / cross-site scripting vulnerabilities in our BPMN, CMMN and DMN properties panel libraries.

These issues affect all users that embed the properties panels along with the diagram editors. They allow an attacher to execute arbitary JavaScript in the context of the embedding website if properties for specially configured diagram elements are being viewed.

Patched Versions

The following library releases fix the issues:

  • bpmn-js-properties-panel@0.31.0
  • cmmn-js-properties-panel@0.8.0
  • dmn-js-properties-panel@0.3.0

Are you passionate about JavaScript, modeling, and the web?
Join Camunda and build modeling tools people heart.