Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-3026: 21.2.8 release · jgraph/drawio@c7ac634

Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 21.2.8.

CVE
Open in Source
#xss#js#git#chrome

Expand Up @@ -1885,7 +1885,7 @@ GraphViewer.prototype.showLightbox = function(editable, closable, target) /** * Adds the given array of stencils to avoid dynamic loading of shapes. */ GraphViewer.prototype.showLocalLightbox = function() GraphViewer.prototype.showLocalLightbox = function(container) { var backdrop = document.createElement(‘div’);
Expand Down Expand Up @@ -1921,6 +1921,17 @@ GraphViewer.prototype.showLocalLightbox = function() urlParams[‘tags’] = '{}’; }
if (container != null) { try { var toolbarConfig = JSON.parse(decodeURIComponent(urlParams[‘toolbar-config’] || ‘{}’)); toolbarConfig.noCloseBtn = true; urlParams[‘toolbar-config’] = encodeURIComponent(JSON.stringify(toolbarConfig)); } catch (e) {} }
// PostMessage not working and Permission denied for opened access in IE9- if (document.documentMode == null || document.documentMode >= 10) { Expand Down Expand Up @@ -1961,20 +1972,23 @@ GraphViewer.prototype.showLocalLightbox = function()
ui.destroy = function() { mxEvent.removeListener(document.documentElement, 'keydown’, keydownHandler); document.body.removeChild(backdrop); document.body.removeChild(closeImg); document.body.style.overflow = overflow; GraphViewer.resizeSensorEnabled = true;
destroy.apply(this, arguments); if (container == null) { mxEvent.removeListener(document.documentElement, 'keydown’, keydownHandler); document.body.removeChild(backdrop); document.body.removeChild(closeImg); document.body.style.overflow = overflow; GraphViewer.resizeSensorEnabled = true;
destroy.apply(this, arguments); } };
var graph = ui.editor.graph; var lightbox = graph.container; lightbox.style.overflow = 'hidden’;
if (this.lightboxChrome) if (this.lightboxChrome && container == null) { lightbox.style.border = '1px solid #c0c0c0’; lightbox.style.margin = '40px’; Expand Down Expand Up @@ -2049,8 +2063,16 @@ GraphViewer.prototype.showLocalLightbox = function() lightbox.style.zIndex = this.lightboxZIndex; closeImg.style.zIndex = this.lightboxZIndex;
document.body.appendChild(lightbox); document.body.appendChild(closeImg); if (container != null) { container.innerHTML = '’; container.appendChild(lightbox); } else { document.body.appendChild(lightbox); document.body.appendChild(closeImg); }
ui.setFileData(this.xml);
Expand All @@ -2059,7 +2081,7 @@ GraphViewer.prototype.showLocalLightbox = function() ui.chromelessToolbar.style.zIndex = this.lightboxZIndex;
// Workaround for clipping in IE11- document.body.appendChild(ui.chromelessToolbar); (container || document.body).appendChild(ui.chromelessToolbar);
ui.getEditBlankXml = mxUtils.bind(this, function() { Expand Down

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE