CVE-2024-32472

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-32472
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-32472.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-32472
Aliases
Published
2024-04-17T21:23:57Z
Modified
2025-10-20T19:33:27Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
excalidraw vulnerable to a Stored XSS in excalidraw's web embed component
Details

excalidraw is an open source virtual hand-drawn style whiteboard. A stored XSS vulnerability in Excalidraw's web embeddable component. This allows arbitrary JavaScript to be run in the context of the domain where the editor is hosted. There were two vectors. One rendering untrusted string as iframe's srcdoc without properly sanitizing against HTML injection. Second by improperly sanitizing against attribute HTML injection. This in conjunction with allowing allow-same-origin sandbox flag (necessary for several embeds) resulted in the XSS. This vulnerability is fixed in 0.17.6 and 0.16.4.

Database specific 
{
    "cwe_ids": [
        "CWE-79",
        "CWE-80"
    ]
}
References

Affected packages

Git / github.com/excalidraw/excalidraw

Affected ranges

Type
GIT
Repo
https://github.com/excalidraw/excalidraw
Events
Introduced
0a588a880b972f4e2f15e23bc244cce1c1ff2160
Fixed
1863da44053dcf95aa4be0891065e8a580002de6
Type
GIT
Repo
https://github.com/excalidraw/excalidraw
Events
Introduced
ddb75850573f6fef9a0786ced32ae63ab913f0e0
Fixed
0dbd2a39319d41fda37b2945dea0dcbd58d6a564