GHSA-xm59-jvxm-cp3v

Suggest an improvement
Source
https://github.com/advisories/GHSA-xm59-jvxm-cp3v
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-xm59-jvxm-cp3v/GHSA-xm59-jvxm-cp3v.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-xm59-jvxm-cp3v
Aliases
Published
2022-05-24T16:49:07Z
Modified
2023-11-01T04:50:23.695884Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
mxGraph vulnerable to cross-site scripting in color field
Details

mxGraph through 4.0.0, related to the draw.io Diagrams plugin before 8.3.14 for Confluence and other products, is vulnerable to cross-site scripting. draw.io Diagrams allows the creation and editing of draw.io-based diagrams in Confluence. Among other things, it allows to set the background color of text displayed in the diagram. The color provided by the user is notproperly sanitized, leading to HTML and JavaScript code to be displayed "as it is" to visitors of the page. This allows attackers to execute JavaScript code in the context of the visitor's browser and session and to e.g. run Confluence command under the visitor's user or attack the visitor's browser.

Proof of Concept (PoC):

  1. Create a new draw.io Diagram, add an element and edit its background color and enter some text to the element
  2. Enter the following "color": onMouseOver=alert(1) a=
  3. Save and view the resulting diagram, moving your mouse over the text
Database specific 
{
    "nvd_published_at": "2019-07-01T15:15:00Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2023-10-19T18:54:37Z"
}
References

Affected packages

npm / mxgraph

Package

Name
mxgraph
View open source insights on deps.dev
Purl
pkg:npm/mxgraph

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.0.1

Database specific 

{
    "last_known_affected_version_range": "<= 4.0.0"
}