Patched versions of our BPMN, CMMN and DMN editors address two HTML injection / cross-site scripting vulnerabilities. We recommend users to upgrade.
Two issues in lower level components of our toolkits have been reported by the community:
- search does not properly escape user input (diagram-js#362)
- direct editing allows pasting of HTML (diagram-js-direct-editing#14)
These issues affect all editors for BPMN, CMMN and DMN. They allow an attacher to execute arbitary JavaScript in the context of a website embedding our modelers if the victim is lured into pasting a crafted piece of HTML. Our viewer distributions are not affected by this issue.
Patched Versions
The following library releases fix the issues:
bpmn-js@3.4.2bpmn-js@2.5.3cmmn-js@0.18.1dmn-js@6.3.3diagram-js@3.3.1diagram-js@2.6.2
Credits
Thanks to naoey for reporting the initial bug.
Are you passionate about JavaScript, modeling, and the web?
Join Camunda and build modeling tools people 
.