Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
31 vulnerabilities by jgraph
CVE-2026-46642 (GCVE-0-2026-46642)
Vulnerability from cvelistv5 – Published: 2026-06-10 17:42 – Updated: 2026-06-11 14:03
VLAI
Title
draw.io: XSS via crafted cell label when opening a .drawio file
Summary
draw.io is a configurable diagramming and whiteboarding application. Prior to version 29.7.12, a crafted .drawio file can execute arbitrary JavaScript in the editor's origin when the file is opened. The vulnerability is not in the label sanitizer (which works correctly on the rendering path) but in a feature-detection routine in the Text Format panel that reads the raw cell label and assigns it to a detached element's innerHTML without sanitization. Browsers fire onerror for failed image loads even on detached elements, so an <img src=x onerror=...> payload in any cell label triggers script execution as soon as the cell is selected — which import does automatically. This issue has been patched in version 29.7.12.
Severity
6.1 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/jgraph/drawio/security/advisor… | x_refsource_CONFIRM |
| https://github.com/jgraph/drawio/releases/tag/v29.7.12 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-46642",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-11T14:02:47.367642Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T14:03:34.537Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/jgraph/drawio/security/advisories/GHSA-fqhg-287p-c6vf"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "drawio",
"vendor": "jgraph",
"versions": [
{
"status": "affected",
"version": "\u003c 29.7.12"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "draw.io is a configurable diagramming and whiteboarding application. Prior to version 29.7.12, a crafted .drawio file can execute arbitrary JavaScript in the editor\u0027s origin when the file is opened. The vulnerability is not in the label sanitizer (which works correctly on the rendering path) but in a feature-detection routine in the Text Format panel that reads the raw cell label and assigns it to a detached element\u0027s innerHTML without sanitization. Browsers fire onerror for failed image loads even on detached elements, so an \u003cimg src=x onerror=...\u003e payload in any cell label triggers script execution as soon as the cell is selected \u2014 which import does automatically. This issue has been patched in version 29.7.12."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T17:42:02.156Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/jgraph/drawio/security/advisories/GHSA-fqhg-287p-c6vf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/jgraph/drawio/security/advisories/GHSA-fqhg-287p-c6vf"
},
{
"name": "https://github.com/jgraph/drawio/releases/tag/v29.7.12",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jgraph/drawio/releases/tag/v29.7.12"
}
],
"source": {
"advisory": "GHSA-fqhg-287p-c6vf",
"discovery": "UNKNOWN"
},
"title": "draw.io: XSS via crafted cell label when opening a .drawio file"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-46642",
"datePublished": "2026-06-10T17:42:02.156Z",
"dateReserved": "2026-05-15T20:11:54.584Z",
"dateUpdated": "2026-06-11T14:03:34.537Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42195 (GCVE-0-2026-42195)
Vulnerability from cvelistv5 – Published: 2026-05-08 21:22 – Updated: 2026-05-13 17:47
VLAI
Title
Unvalidated gitlab URL parameter redirects OAuth authorize step to attacker-controlled host
Summary
draw.io is a configurable diagramming and whiteboarding application. Prior to version 29.7.9, the draw.io client accepts a ?gitlab= URL parameter that overrides the GitLab server URL used during OAuth sign-in. A crafted link causes the user's click on draw.io's "Authorize in GitLab" dialog to open a popup on the attacker-controlled host instead of gitlab.com. This can lead to credential fishing and session state token exfiltration. This issue has been patched in version 29.7.9.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/jgraph/drawio/security/advisor… | x_refsource_CONFIRM |
| https://github.com/jgraph/drawio/issues/493 | x_refsource_MISC |
| https://github.com/jgraph/drawio/releases/tag/v29.7.9 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42195",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-13T17:18:43.655474Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T17:47:31.482Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "drawio",
"vendor": "jgraph",
"versions": [
{
"status": "affected",
"version": "\u003c 29.7.9"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "draw.io is a configurable diagramming and whiteboarding application. Prior to version 29.7.9, the draw.io client accepts a ?gitlab= URL parameter that overrides the GitLab server URL used during OAuth sign-in. A crafted link causes the user\u0027s click on draw.io\u0027s \"Authorize in GitLab\" dialog to open a popup on the attacker-controlled host instead of gitlab.com. This can lead to credential fishing and session state token exfiltration. This issue has been patched in version 29.7.9."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.4,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T21:22:40.678Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/jgraph/drawio/security/advisories/GHSA-8x7j-m8px-7p8x",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/jgraph/drawio/security/advisories/GHSA-8x7j-m8px-7p8x"
},
{
"name": "https://github.com/jgraph/drawio/issues/493",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jgraph/drawio/issues/493"
},
{
"name": "https://github.com/jgraph/drawio/releases/tag/v29.7.9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jgraph/drawio/releases/tag/v29.7.9"
}
],
"source": {
"advisory": "GHSA-8x7j-m8px-7p8x",
"discovery": "UNKNOWN"
},
"title": "Unvalidated gitlab URL parameter redirects OAuth authorize step to attacker-controlled host"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42195",
"datePublished": "2026-05-08T21:22:40.678Z",
"dateReserved": "2026-04-25T01:53:21.584Z",
"dateUpdated": "2026-05-13T17:47:31.482Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-3975 (GCVE-0-2023-3975)
Vulnerability from cvelistv5 – Published: 2023-07-27 14:34 – Updated: 2024-10-15 15:32
VLAI
Title
OS Command Injection in jgraph/drawio
Summary
OS Command Injection in GitHub repository jgraph/drawio prior to 21.5.0.
Severity
8.3 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| jgraph | jgraph/drawio |
Affected:
unspecified , < 21.5.0
(custom)
|
|
| jgraph | drawio |
Affected:
0 , < 21.5.0
(custom)
cpe:2.3:a:jgraph:drawio:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:08:50.850Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.dev/bounties/4da96d20-78ac-462e-910c-a14db9062161"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/jgraph/drawio/commit/8ec95cb03e0a80cf908a282522ac1651306db340"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:jgraph:drawio:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "drawio",
"vendor": "jgraph",
"versions": [
{
"lessThan": "21.5.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-3975",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-15T15:03:26.147244Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-15T15:32:40.165Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "jgraph/drawio",
"vendor": "jgraph",
"versions": [
{
"lessThan": "21.5.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OS Command Injection in GitHub repository jgraph/drawio prior to 21.5.0."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-27T14:34:10.847Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"url": "https://huntr.dev/bounties/4da96d20-78ac-462e-910c-a14db9062161"
},
{
"url": "https://github.com/jgraph/drawio/commit/8ec95cb03e0a80cf908a282522ac1651306db340"
}
],
"source": {
"advisory": "4da96d20-78ac-462e-910c-a14db9062161",
"discovery": "EXTERNAL"
},
"title": "OS Command Injection in jgraph/drawio"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2023-3975",
"datePublished": "2023-07-27T14:34:10.847Z",
"dateReserved": "2023-07-27T14:34:05.900Z",
"dateUpdated": "2024-10-15T15:32:40.165Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-3974 (GCVE-0-2023-3974)
Vulnerability from cvelistv5 – Published: 2023-07-27 14:33 – Updated: 2024-10-15 15:36
VLAI
Title
OS Command Injection in jgraph/drawio
Summary
OS Command Injection in GitHub repository jgraph/drawio prior to 21.4.0.
Severity
9.6 (Critical)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| jgraph | jgraph/drawio |
Affected:
unspecified , < 21.4.0
(custom)
|
|
| jgraph | drawio |
Affected:
0 , < 21.4.0
(custom)
cpe:2.3:a:jgraph:drawio:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:08:50.876Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.dev/bounties/ce75aa04-e4d6-4e0a-9db0-ae84c46ae9e2"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/jgraph/drawio/commit/9d6532de36496e77d872d91b1947bb696607d623"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:jgraph:drawio:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "drawio",
"vendor": "jgraph",
"versions": [
{
"lessThan": "21.4.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-3974",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-15T15:03:43.684638Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-15T15:36:08.407Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "jgraph/drawio",
"vendor": "jgraph",
"versions": [
{
"lessThan": "21.4.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OS Command Injection in GitHub repository jgraph/drawio prior to 21.4.0."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-27T14:33:31.671Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"url": "https://huntr.dev/bounties/ce75aa04-e4d6-4e0a-9db0-ae84c46ae9e2"
},
{
"url": "https://github.com/jgraph/drawio/commit/9d6532de36496e77d872d91b1947bb696607d623"
}
],
"source": {
"advisory": "ce75aa04-e4d6-4e0a-9db0-ae84c46ae9e2",
"discovery": "EXTERNAL"
},
"title": "OS Command Injection in jgraph/drawio"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2023-3974",
"datePublished": "2023-07-27T14:33:31.671Z",
"dateReserved": "2023-07-27T14:33:26.406Z",
"dateUpdated": "2024-10-15T15:36:08.407Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-3973 (GCVE-0-2023-3973)
Vulnerability from cvelistv5 – Published: 2023-07-27 14:33 – Updated: 2024-10-15 15:36
VLAI
Title
Cross-site Scripting (XSS) - Reflected in jgraph/drawio
Summary
Cross-site Scripting (XSS) - Reflected in GitHub repository jgraph/drawio prior to 21.6.3.
Severity
9.6 (Critical)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| jgraph | jgraph/drawio |
Affected:
unspecified , < 21.6.3
(custom)
|
|
| jgraph | drawio |
Affected:
0 , < 21.6.3
(custom)
cpe:2.3:a:jgraph:drawio:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:08:50.699Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.dev/bounties/4c1c5db5-210f-4d7e-8380-b95f88fdb78d"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/jgraph/drawio/commit/1db2c2c653aa245d175d30c210239e3946bfcb95"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:jgraph:drawio:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "drawio",
"vendor": "jgraph",
"versions": [
{
"lessThan": "21.6.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-3973",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-15T15:04:11.770958Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-15T15:36:46.194Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "jgraph/drawio",
"vendor": "jgraph",
"versions": [
{
"lessThan": "21.6.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site Scripting (XSS) - Reflected in GitHub repository jgraph/drawio prior to 21.6.3."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-27T14:33:11.271Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"url": "https://huntr.dev/bounties/4c1c5db5-210f-4d7e-8380-b95f88fdb78d"
},
{
"url": "https://github.com/jgraph/drawio/commit/1db2c2c653aa245d175d30c210239e3946bfcb95"
}
],
"source": {
"advisory": "4c1c5db5-210f-4d7e-8380-b95f88fdb78d",
"discovery": "EXTERNAL"
},
"title": "Cross-site Scripting (XSS) - Reflected in jgraph/drawio"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2023-3973",
"datePublished": "2023-07-27T14:33:11.271Z",
"dateReserved": "2023-07-27T14:32:56.314Z",
"dateUpdated": "2024-10-15T15:36:46.194Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-3398 (GCVE-0-2023-3398)
Vulnerability from cvelistv5 – Published: 2023-06-26 10:05 – Updated: 2024-12-03 18:47
VLAI
Title
Denial of Service in jgraph/drawio
Summary
Denial of Service in GitHub repository jgraph/drawio prior to 18.1.3.
Severity
5.3 (Medium)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| jgraph | jgraph/drawio |
Affected:
unspecified , < 18.1.3
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:55:03.225Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.dev/bounties/aa087215-80e1-433d-b870-650705630e69"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/jgraph/drawio/commit/064729fec4262f9373d9fdcafda0be47cd18dd50"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-3398",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-03T18:44:34.481992Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-03T18:47:29.317Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "jgraph/drawio",
"vendor": "jgraph",
"versions": [
{
"lessThan": "18.1.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Denial of Service in GitHub repository jgraph/drawio prior to 18.1.3."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-26T10:05:09.278Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"url": "https://huntr.dev/bounties/aa087215-80e1-433d-b870-650705630e69"
},
{
"url": "https://github.com/jgraph/drawio/commit/064729fec4262f9373d9fdcafda0be47cd18dd50"
}
],
"source": {
"advisory": "aa087215-80e1-433d-b870-650705630e69",
"discovery": "EXTERNAL"
},
"title": "Denial of Service in jgraph/drawio"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2023-3398",
"datePublished": "2023-06-26T10:05:09.278Z",
"dateReserved": "2023-06-26T10:04:56.783Z",
"dateUpdated": "2024-12-03T18:47:29.317Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-3026 (GCVE-0-2023-3026)
Vulnerability from cvelistv5 – Published: 2023-06-01 00:00 – Updated: 2025-01-10 18:55
VLAI
Title
Cross-site Scripting (XSS) - Stored in jgraph/drawio
Summary
Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 21.2.8.
Severity
6.5 (Medium)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| jgraph | jgraph/drawio |
Affected:
unspecified , < 21.2.8
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:41:04.335Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.dev/bounties/9bbcc127-1e69-4c88-b318-d2afef48eff0"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/jgraph/drawio/commit/c7ac634055c3edfabc7729fc4298a5ab7bfbf384"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-3026",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-10T18:55:51.968547Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-10T18:55:55.645Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://huntr.com/bounties/9bbcc127-1e69-4c88-b318-d2afef48eff0"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "jgraph/drawio",
"vendor": "jgraph",
"versions": [
{
"lessThan": "21.2.8",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 21.2.8."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-01T00:00:00.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"url": "https://huntr.dev/bounties/9bbcc127-1e69-4c88-b318-d2afef48eff0"
},
{
"url": "https://github.com/jgraph/drawio/commit/c7ac634055c3edfabc7729fc4298a5ab7bfbf384"
}
],
"source": {
"advisory": "9bbcc127-1e69-4c88-b318-d2afef48eff0",
"discovery": "EXTERNAL"
},
"title": "Cross-site Scripting (XSS) - Stored in jgraph/drawio"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2023-3026",
"datePublished": "2023-06-01T00:00:00.000Z",
"dateReserved": "2023-06-01T00:00:00.000Z",
"dateUpdated": "2025-01-10T18:55:55.645Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-3873 (GCVE-0-2022-3873)
Vulnerability from cvelistv5 – Published: 2022-11-07 00:00 – Updated: 2025-05-01 17:59
VLAI
Title
Cross-site Scripting (XSS) - DOM in jgraph/drawio
Summary
Cross-site Scripting (XSS) - DOM in GitHub repository jgraph/drawio prior to 20.5.2.
Severity
6.5 (Medium)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| jgraph | jgraph/drawio |
Affected:
unspecified , < 20.5.2
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:20:58.575Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.dev/bounties/52a4085e-b687-489b-9ed6-f0987583ed77"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/jgraph/drawio/commit/d37894baf125430e85840c2635563b10d1a6523d"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-3873",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-01T17:55:24.006232Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-01T17:59:19.909Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "jgraph/drawio",
"vendor": "jgraph",
"versions": [
{
"lessThan": "20.5.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site Scripting (XSS) - DOM in GitHub repository jgraph/drawio prior to 20.5.2."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-07T00:00:00.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"url": "https://huntr.dev/bounties/52a4085e-b687-489b-9ed6-f0987583ed77"
},
{
"url": "https://github.com/jgraph/drawio/commit/d37894baf125430e85840c2635563b10d1a6523d"
}
],
"source": {
"advisory": "52a4085e-b687-489b-9ed6-f0987583ed77",
"discovery": "EXTERNAL"
},
"title": "Cross-site Scripting (XSS) - DOM in jgraph/drawio"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-3873",
"datePublished": "2022-11-07T00:00:00.000Z",
"dateReserved": "2022-11-07T00:00:00.000Z",
"dateUpdated": "2025-05-01T17:59:19.909Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-40440 (GCVE-0-2022-40440)
Vulnerability from cvelistv5 – Published: 2022-10-11 00:00 – Updated: 2024-08-03 12:21
VLAI
Summary
mxGraph v4.2.2 was discovered to contain a cross-site scripting (XSS) vulnerability via the setTooltips() function.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
3 references
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:21:45.907Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "http://mxgraph.com"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/jgraph/mxgraph"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/SxB64/mxgraph-xss-vul/wiki"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "mxGraph v4.2.2 was discovered to contain a cross-site scripting (XSS) vulnerability via the setTooltips() function."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-11T00:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "http://mxgraph.com"
},
{
"url": "https://github.com/jgraph/mxgraph"
},
{
"url": "https://github.com/SxB64/mxgraph-xss-vul/wiki"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-40440",
"datePublished": "2022-10-11T00:00:00.000Z",
"dateReserved": "2022-09-11T00:00:00.000Z",
"dateUpdated": "2024-08-03T12:21:45.907Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-3223 (GCVE-0-2022-3223)
Vulnerability from cvelistv5 – Published: 2022-09-16 10:50 – Updated: 2024-08-03 01:00
VLAI
Title
Cross-site Scripting (XSS) - Stored in jgraph/drawio
Summary
Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 20.3.1.
Severity
4.3 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://huntr.dev/bounties/125791b6-3a68-4235-886… | x_refsource_CONFIRM |
| https://github.com/jgraph/drawio/commit/ea012baba… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| jgraph | jgraph/drawio |
Affected:
unspecified , < 20.3.1
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:00:10.759Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/125791b6-3a68-4235-8866-6bc3a52332ba"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/jgraph/drawio/commit/ea012baba6fb2e903797fa6306833ca4f31ab361"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "jgraph/drawio",
"vendor": "jgraph",
"versions": [
{
"lessThan": "20.3.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 20.3.1."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-16T10:50:12.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/125791b6-3a68-4235-8866-6bc3a52332ba"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jgraph/drawio/commit/ea012baba6fb2e903797fa6306833ca4f31ab361"
}
],
"source": {
"advisory": "125791b6-3a68-4235-8866-6bc3a52332ba",
"discovery": "EXTERNAL"
},
"title": "Cross-site Scripting (XSS) - Stored in jgraph/drawio",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-3223",
"STATE": "PUBLIC",
"TITLE": "Cross-site Scripting (XSS) - Stored in jgraph/drawio"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "jgraph/drawio",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "20.3.1"
}
]
}
}
]
},
"vendor_name": "jgraph"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 20.3.1."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/125791b6-3a68-4235-8866-6bc3a52332ba",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/125791b6-3a68-4235-8866-6bc3a52332ba"
},
{
"name": "https://github.com/jgraph/drawio/commit/ea012baba6fb2e903797fa6306833ca4f31ab361",
"refsource": "MISC",
"url": "https://github.com/jgraph/drawio/commit/ea012baba6fb2e903797fa6306833ca4f31ab361"
}
]
},
"source": {
"advisory": "125791b6-3a68-4235-8866-6bc3a52332ba",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-3223",
"datePublished": "2022-09-16T10:50:12.000Z",
"dateReserved": "2022-09-15T00:00:00.000Z",
"dateUpdated": "2024-08-03T01:00:10.759Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-3133 (GCVE-0-2022-3133)
Vulnerability from cvelistv5 – Published: 2022-09-09 17:55 – Updated: 2024-08-03 01:00
VLAI
Title
OS Command Injection in jgraph/drawio
Summary
OS Command Injection in GitHub repository jgraph/drawio prior to 20.3.0.
Severity
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://huntr.dev/bounties/2d93052f-efc6-4647-9a6… | x_refsource_CONFIRM |
| https://github.com/jgraph/drawio/commit/8f3f95a05… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| jgraph | jgraph/drawio |
Affected:
unspecified , < 20.3.0
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:00:10.491Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/2d93052f-efc6-4647-9a6d-8b08dc251223"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/jgraph/drawio/commit/8f3f95a05b701175b639ba9572dc4e0fb7c46b02"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "jgraph/drawio",
"vendor": "jgraph",
"versions": [
{
"lessThan": "20.3.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OS Command Injection in GitHub repository jgraph/drawio prior to 20.3.0."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-09T17:55:09.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/2d93052f-efc6-4647-9a6d-8b08dc251223"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jgraph/drawio/commit/8f3f95a05b701175b639ba9572dc4e0fb7c46b02"
}
],
"source": {
"advisory": "2d93052f-efc6-4647-9a6d-8b08dc251223",
"discovery": "EXTERNAL"
},
"title": "OS Command Injection in jgraph/drawio",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-3133",
"STATE": "PUBLIC",
"TITLE": "OS Command Injection in jgraph/drawio"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "jgraph/drawio",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "20.3.0"
}
]
}
}
]
},
"vendor_name": "jgraph"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "OS Command Injection in GitHub repository jgraph/drawio prior to 20.3.0."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-78 Improper Neutralization of Special Elements used in an OS Command"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/2d93052f-efc6-4647-9a6d-8b08dc251223",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/2d93052f-efc6-4647-9a6d-8b08dc251223"
},
{
"name": "https://github.com/jgraph/drawio/commit/8f3f95a05b701175b639ba9572dc4e0fb7c46b02",
"refsource": "MISC",
"url": "https://github.com/jgraph/drawio/commit/8f3f95a05b701175b639ba9572dc4e0fb7c46b02"
}
]
},
"source": {
"advisory": "2d93052f-efc6-4647-9a6d-8b08dc251223",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-3133",
"datePublished": "2022-09-09T17:55:09.000Z",
"dateReserved": "2022-09-05T00:00:00.000Z",
"dateUpdated": "2024-08-03T01:00:10.491Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-3138 (GCVE-0-2022-3138)
Vulnerability from cvelistv5 – Published: 2022-09-08 09:30 – Updated: 2024-08-03 01:00
VLAI
Title
Cross-site Scripting (XSS) - Generic in jgraph/drawio
Summary
Cross-site Scripting (XSS) - Generic in GitHub repository jgraph/drawio prior to 20.3.0.
Severity
4.3 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/jgraph/drawio/commit/b5dfeb238… | x_refsource_MISC |
| https://huntr.dev/bounties/1816a207-6abf-408c-b19… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| jgraph | jgraph/drawio |
Affected:
unspecified , < 20.3.0
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:00:10.521Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/jgraph/drawio/commit/b5dfeb238369d664fb06a95e2179236b0e75f366"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/1816a207-6abf-408c-b19a-e497e24172b3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "jgraph/drawio",
"vendor": "jgraph",
"versions": [
{
"lessThan": "20.3.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site Scripting (XSS) - Generic in GitHub repository jgraph/drawio prior to 20.3.0."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-08T09:30:13.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jgraph/drawio/commit/b5dfeb238369d664fb06a95e2179236b0e75f366"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/1816a207-6abf-408c-b19a-e497e24172b3"
}
],
"source": {
"advisory": "1816a207-6abf-408c-b19a-e497e24172b3",
"discovery": "EXTERNAL"
},
"title": "Cross-site Scripting (XSS) - Generic in jgraph/drawio",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-3138",
"STATE": "PUBLIC",
"TITLE": "Cross-site Scripting (XSS) - Generic in jgraph/drawio"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "jgraph/drawio",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "20.3.0"
}
]
}
}
]
},
"vendor_name": "jgraph"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site Scripting (XSS) - Generic in GitHub repository jgraph/drawio prior to 20.3.0."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/jgraph/drawio/commit/b5dfeb238369d664fb06a95e2179236b0e75f366",
"refsource": "MISC",
"url": "https://github.com/jgraph/drawio/commit/b5dfeb238369d664fb06a95e2179236b0e75f366"
},
{
"name": "https://huntr.dev/bounties/1816a207-6abf-408c-b19a-e497e24172b3",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/1816a207-6abf-408c-b19a-e497e24172b3"
}
]
},
"source": {
"advisory": "1816a207-6abf-408c-b19a-e497e24172b3",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-3138",
"datePublished": "2022-09-08T09:30:14.000Z",
"dateReserved": "2022-09-06T00:00:00.000Z",
"dateUpdated": "2024-08-03T01:00:10.521Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-3148 (GCVE-0-2022-3148)
Vulnerability from cvelistv5 – Published: 2022-09-08 09:25 – Updated: 2024-08-03 01:00
VLAI
Title
Cross-site Scripting (XSS) - Generic in jgraph/drawio
Summary
Cross-site Scripting (XSS) - Generic in GitHub repository jgraph/drawio prior to 20.3.0.
Severity
5.3 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://huntr.dev/bounties/1f730015-b4d0-4f84-8ca… | x_refsource_CONFIRM |
| https://github.com/jgraph/drawio/commit/b5dfeb238… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| jgraph | jgraph/drawio |
Affected:
unspecified , < 20.3.0
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:00:10.577Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/1f730015-b4d0-4f84-8cac-9cf1e57a091a"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/jgraph/drawio/commit/b5dfeb238369d664fb06a95e2179236b0e75f366"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "jgraph/drawio",
"vendor": "jgraph",
"versions": [
{
"lessThan": "20.3.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site Scripting (XSS) - Generic in GitHub repository jgraph/drawio prior to 20.3.0."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-08T09:25:09.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/1f730015-b4d0-4f84-8cac-9cf1e57a091a"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jgraph/drawio/commit/b5dfeb238369d664fb06a95e2179236b0e75f366"
}
],
"source": {
"advisory": "1f730015-b4d0-4f84-8cac-9cf1e57a091a",
"discovery": "EXTERNAL"
},
"title": "Cross-site Scripting (XSS) - Generic in jgraph/drawio",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-3148",
"STATE": "PUBLIC",
"TITLE": "Cross-site Scripting (XSS) - Generic in jgraph/drawio"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "jgraph/drawio",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "20.3.0"
}
]
}
}
]
},
"vendor_name": "jgraph"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site Scripting (XSS) - Generic in GitHub repository jgraph/drawio prior to 20.3.0."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/1f730015-b4d0-4f84-8cac-9cf1e57a091a",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/1f730015-b4d0-4f84-8cac-9cf1e57a091a"
},
{
"name": "https://github.com/jgraph/drawio/commit/b5dfeb238369d664fb06a95e2179236b0e75f366",
"refsource": "MISC",
"url": "https://github.com/jgraph/drawio/commit/b5dfeb238369d664fb06a95e2179236b0e75f366"
}
]
},
"source": {
"advisory": "1f730015-b4d0-4f84-8cac-9cf1e57a091a",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-3148",
"datePublished": "2022-09-08T09:25:09.000Z",
"dateReserved": "2022-09-07T00:00:00.000Z",
"dateUpdated": "2024-08-03T01:00:10.577Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-3127 (GCVE-0-2022-3127)
Vulnerability from cvelistv5 – Published: 2022-09-05 12:50 – Updated: 2024-08-03 01:00
VLAI
Title
Cross-site Scripting (XSS) - Stored in jgraph/drawio
Summary
Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 20.2.8.
Severity
5.5 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/jgraph/drawio/commit/59887e45b… | x_refsource_MISC |
| https://huntr.dev/bounties/6cea89d1-39dc-4023-82f… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| jgraph | jgraph/drawio |
Affected:
unspecified , < 20.2.8
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:00:10.534Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/jgraph/drawio/commit/59887e45b36f06c8dd4919a32bacd994d9f084da"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/6cea89d1-39dc-4023-82fa-821f566b841a"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "jgraph/drawio",
"vendor": "jgraph",
"versions": [
{
"lessThan": "20.2.8",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 20.2.8."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-05T12:50:09.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jgraph/drawio/commit/59887e45b36f06c8dd4919a32bacd994d9f084da"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/6cea89d1-39dc-4023-82fa-821f566b841a"
}
],
"source": {
"advisory": "6cea89d1-39dc-4023-82fa-821f566b841a",
"discovery": "EXTERNAL"
},
"title": "Cross-site Scripting (XSS) - Stored in jgraph/drawio",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-3127",
"STATE": "PUBLIC",
"TITLE": "Cross-site Scripting (XSS) - Stored in jgraph/drawio"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "jgraph/drawio",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "20.2.8"
}
]
}
}
]
},
"vendor_name": "jgraph"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 20.2.8."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/jgraph/drawio/commit/59887e45b36f06c8dd4919a32bacd994d9f084da",
"refsource": "MISC",
"url": "https://github.com/jgraph/drawio/commit/59887e45b36f06c8dd4919a32bacd994d9f084da"
},
{
"name": "https://huntr.dev/bounties/6cea89d1-39dc-4023-82fa-821f566b841a",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/6cea89d1-39dc-4023-82fa-821f566b841a"
}
]
},
"source": {
"advisory": "6cea89d1-39dc-4023-82fa-821f566b841a",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-3127",
"datePublished": "2022-09-05T12:50:09.000Z",
"dateReserved": "2022-09-05T00:00:00.000Z",
"dateUpdated": "2024-08-03T01:00:10.534Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-3065 (GCVE-0-2022-3065)
Vulnerability from cvelistv5 – Published: 2022-09-02 18:15 – Updated: 2024-08-03 01:00
VLAI
Title
Improper Access Control in jgraph/drawio
Summary
Improper Access Control in GitHub repository jgraph/drawio prior to 20.2.8.
Severity
5.3 (Medium)
CWE
- CWE-284 - Improper Access Control
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://huntr.dev/bounties/5f3bc4b6-1d53-46b7-a23… | x_refsource_CONFIRM |
| https://github.com/jgraph/drawio/commit/59887e45b… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| jgraph | jgraph/drawio |
Affected:
unspecified , < 20.2.8
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:00:10.156Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/5f3bc4b6-1d53-46b7-a23d-70f5faaf0c76"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/jgraph/drawio/commit/59887e45b36f06c8dd4919a32bacd994d9f084da"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "jgraph/drawio",
"vendor": "jgraph",
"versions": [
{
"lessThan": "20.2.8",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper Access Control in GitHub repository jgraph/drawio prior to 20.2.8."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-02T18:15:12.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/5f3bc4b6-1d53-46b7-a23d-70f5faaf0c76"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jgraph/drawio/commit/59887e45b36f06c8dd4919a32bacd994d9f084da"
}
],
"source": {
"advisory": "5f3bc4b6-1d53-46b7-a23d-70f5faaf0c76",
"discovery": "EXTERNAL"
},
"title": "Improper Access Control in jgraph/drawio",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-3065",
"STATE": "PUBLIC",
"TITLE": "Improper Access Control in jgraph/drawio"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "jgraph/drawio",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "20.2.8"
}
]
}
}
]
},
"vendor_name": "jgraph"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Improper Access Control in GitHub repository jgraph/drawio prior to 20.2.8."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-284 Improper Access Control"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/5f3bc4b6-1d53-46b7-a23d-70f5faaf0c76",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/5f3bc4b6-1d53-46b7-a23d-70f5faaf0c76"
},
{
"name": "https://github.com/jgraph/drawio/commit/59887e45b36f06c8dd4919a32bacd994d9f084da",
"refsource": "MISC",
"url": "https://github.com/jgraph/drawio/commit/59887e45b36f06c8dd4919a32bacd994d9f084da"
}
]
},
"source": {
"advisory": "5f3bc4b6-1d53-46b7-a23d-70f5faaf0c76",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-3065",
"datePublished": "2022-09-02T18:15:12.000Z",
"dateReserved": "2022-08-30T00:00:00.000Z",
"dateUpdated": "2024-08-03T01:00:10.156Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-2015 (GCVE-0-2022-2015)
Vulnerability from cvelistv5 – Published: 2022-06-08 08:30 – Updated: 2024-08-03 00:24
VLAI
Title
Cross-site Scripting (XSS) - Stored in jgraph/drawio
Summary
Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 19.0.2.
Severity
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/jgraph/drawio/commit/3d3f819d7… | x_refsource_MISC |
| https://huntr.dev/bounties/0d32f448-155c-4b71-929… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| jgraph | jgraph/drawio |
Affected:
unspecified , < 19.0.2
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:24:43.934Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/jgraph/drawio/commit/3d3f819d7a04da7d53b37cc0ca4269c157ba2825"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/0d32f448-155c-4b71-9291-9e8bcd522b37"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "jgraph/drawio",
"vendor": "jgraph",
"versions": [
{
"lessThan": "19.0.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 19.0.2."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-08T08:30:14.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jgraph/drawio/commit/3d3f819d7a04da7d53b37cc0ca4269c157ba2825"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/0d32f448-155c-4b71-9291-9e8bcd522b37"
}
],
"source": {
"advisory": "0d32f448-155c-4b71-9291-9e8bcd522b37",
"discovery": "EXTERNAL"
},
"title": "Cross-site Scripting (XSS) - Stored in jgraph/drawio",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-2015",
"STATE": "PUBLIC",
"TITLE": "Cross-site Scripting (XSS) - Stored in jgraph/drawio"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "jgraph/drawio",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "19.0.2"
}
]
}
}
]
},
"vendor_name": "jgraph"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 19.0.2."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/jgraph/drawio/commit/3d3f819d7a04da7d53b37cc0ca4269c157ba2825",
"refsource": "MISC",
"url": "https://github.com/jgraph/drawio/commit/3d3f819d7a04da7d53b37cc0ca4269c157ba2825"
},
{
"name": "https://huntr.dev/bounties/0d32f448-155c-4b71-9291-9e8bcd522b37",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/0d32f448-155c-4b71-9291-9e8bcd522b37"
}
]
},
"source": {
"advisory": "0d32f448-155c-4b71-9291-9e8bcd522b37",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-2015",
"datePublished": "2022-06-08T08:30:14.000Z",
"dateReserved": "2022-06-07T00:00:00.000Z",
"dateUpdated": "2024-08-03T00:24:43.934Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-2014 (GCVE-0-2022-2014)
Vulnerability from cvelistv5 – Published: 2022-06-08 07:25 – Updated: 2024-08-03 00:24
VLAI
Title
Code Injection in jgraph/drawio
Summary
Code Injection in GitHub repository jgraph/drawio prior to 19.0.2.
Severity
9.6 (Critical)
CWE
- CWE-94 - Improper Control of Generation of Code
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://huntr.dev/bounties/911a4ada-7fd6-467a-a46… | x_refsource_CONFIRM |
| https://github.com/jgraph/drawio/commit/3d3f819d7… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| jgraph | jgraph/drawio |
Affected:
unspecified , < 19.0.2
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:24:44.057Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/911a4ada-7fd6-467a-a464-b88604b16ffc"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/jgraph/drawio/commit/3d3f819d7a04da7d53b37cc0ca4269c157ba2825"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "jgraph/drawio",
"vendor": "jgraph",
"versions": [
{
"lessThan": "19.0.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Code Injection in GitHub repository jgraph/drawio prior to 19.0.2."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-08T07:25:11.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/911a4ada-7fd6-467a-a464-b88604b16ffc"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jgraph/drawio/commit/3d3f819d7a04da7d53b37cc0ca4269c157ba2825"
}
],
"source": {
"advisory": "911a4ada-7fd6-467a-a464-b88604b16ffc",
"discovery": "EXTERNAL"
},
"title": "Code Injection in jgraph/drawio",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-2014",
"STATE": "PUBLIC",
"TITLE": "Code Injection in jgraph/drawio"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "jgraph/drawio",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "19.0.2"
}
]
}
}
]
},
"vendor_name": "jgraph"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Code Injection in GitHub repository jgraph/drawio prior to 19.0.2."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-94 Improper Control of Generation of Code"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/911a4ada-7fd6-467a-a464-b88604b16ffc",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/911a4ada-7fd6-467a-a464-b88604b16ffc"
},
{
"name": "https://github.com/jgraph/drawio/commit/3d3f819d7a04da7d53b37cc0ca4269c157ba2825",
"refsource": "MISC",
"url": "https://github.com/jgraph/drawio/commit/3d3f819d7a04da7d53b37cc0ca4269c157ba2825"
}
]
},
"source": {
"advisory": "911a4ada-7fd6-467a-a464-b88604b16ffc",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-2014",
"datePublished": "2022-06-08T07:25:11.000Z",
"dateReserved": "2022-06-07T00:00:00.000Z",
"dateUpdated": "2024-08-03T00:24:44.057Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-1815 (GCVE-0-2022-1815)
Vulnerability from cvelistv5 – Published: 2022-05-25 08:15 – Updated: 2024-08-03 00:16
VLAI
Title
Exposure of Sensitive Information to an Unauthorized Actor in jgraph/drawio
Summary
Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository jgraph/drawio prior to 18.1.2.
Severity
5.3 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://huntr.dev/bounties/6e856a25-9117-47c6-937… | x_refsource_CONFIRM |
| https://github.com/jgraph/drawio/commit/c287bef91… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| jgraph | jgraph/drawio |
Affected:
unspecified , < 18.1.2
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:16:59.916Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/6e856a25-9117-47c6-9375-52f78876902f"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/jgraph/drawio/commit/c287bef9101d024b1fd59d55ecd530f25000f9d8"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "jgraph/drawio",
"vendor": "jgraph",
"versions": [
{
"lessThan": "18.1.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository jgraph/drawio prior to 18.1.2."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-25T08:15:15.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/6e856a25-9117-47c6-9375-52f78876902f"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jgraph/drawio/commit/c287bef9101d024b1fd59d55ecd530f25000f9d8"
}
],
"source": {
"advisory": "6e856a25-9117-47c6-9375-52f78876902f",
"discovery": "EXTERNAL"
},
"title": "Exposure of Sensitive Information to an Unauthorized Actor in jgraph/drawio",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-1815",
"STATE": "PUBLIC",
"TITLE": "Exposure of Sensitive Information to an Unauthorized Actor in jgraph/drawio"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "jgraph/drawio",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "18.1.2"
}
]
}
}
]
},
"vendor_name": "jgraph"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository jgraph/drawio prior to 18.1.2."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/6e856a25-9117-47c6-9375-52f78876902f",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/6e856a25-9117-47c6-9375-52f78876902f"
},
{
"name": "https://github.com/jgraph/drawio/commit/c287bef9101d024b1fd59d55ecd530f25000f9d8",
"refsource": "MISC",
"url": "https://github.com/jgraph/drawio/commit/c287bef9101d024b1fd59d55ecd530f25000f9d8"
}
]
},
"source": {
"advisory": "6e856a25-9117-47c6-9375-52f78876902f",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-1815",
"datePublished": "2022-05-25T08:15:15.000Z",
"dateReserved": "2022-05-23T00:00:00.000Z",
"dateUpdated": "2024-08-03T00:16:59.916Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-1784 (GCVE-0-2022-1784)
Vulnerability from cvelistv5 – Published: 2022-05-20 12:15 – Updated: 2024-08-03 00:16
VLAI
Title
Server-Side Request Forgery (SSRF) in jgraph/drawio
Summary
Server-Side Request Forgery (SSRF) in GitHub repository jgraph/drawio prior to 18.0.8.
Severity
7.5 (High)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/jgraph/drawio/commit/c63f3a044… | x_refsource_MISC |
| https://huntr.dev/bounties/d1330ce8-cccb-4bae-b9a… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| jgraph | jgraph/drawio |
Affected:
unspecified , < 18.0.8
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:16:59.867Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/jgraph/drawio/commit/c63f3a04450f30798df47f9badbc74eb8a69fbdf"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/d1330ce8-cccb-4bae-b9a9-a03b97f444a5"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "jgraph/drawio",
"vendor": "jgraph",
"versions": [
{
"lessThan": "18.0.8",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Server-Side Request Forgery (SSRF) in GitHub repository jgraph/drawio prior to 18.0.8."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-20T12:15:11.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jgraph/drawio/commit/c63f3a04450f30798df47f9badbc74eb8a69fbdf"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/d1330ce8-cccb-4bae-b9a9-a03b97f444a5"
}
],
"source": {
"advisory": "d1330ce8-cccb-4bae-b9a9-a03b97f444a5",
"discovery": "EXTERNAL"
},
"title": "Server-Side Request Forgery (SSRF) in jgraph/drawio",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-1784",
"STATE": "PUBLIC",
"TITLE": "Server-Side Request Forgery (SSRF) in jgraph/drawio"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "jgraph/drawio",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "18.0.8"
}
]
}
}
]
},
"vendor_name": "jgraph"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Server-Side Request Forgery (SSRF) in GitHub repository jgraph/drawio prior to 18.0.8."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-918 Server-Side Request Forgery (SSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/jgraph/drawio/commit/c63f3a04450f30798df47f9badbc74eb8a69fbdf",
"refsource": "MISC",
"url": "https://github.com/jgraph/drawio/commit/c63f3a04450f30798df47f9badbc74eb8a69fbdf"
},
{
"name": "https://huntr.dev/bounties/d1330ce8-cccb-4bae-b9a9-a03b97f444a5",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/d1330ce8-cccb-4bae-b9a9-a03b97f444a5"
}
]
},
"source": {
"advisory": "d1330ce8-cccb-4bae-b9a9-a03b97f444a5",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-1784",
"datePublished": "2022-05-20T12:15:11.000Z",
"dateReserved": "2022-05-18T00:00:00.000Z",
"dateUpdated": "2024-08-03T00:16:59.867Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-1730 (GCVE-0-2022-1730)
Vulnerability from cvelistv5 – Published: 2022-05-19 13:55 – Updated: 2024-08-03 00:16
VLAI
Title
Cross-site Scripting (XSS) - Stored in jgraph/drawio
Summary
Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 18.0.4.
Severity
6.3 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/jgraph/drawio/commit/4deecee18… | x_refsource_MISC |
| https://huntr.dev/bounties/fded4835-bd49-4533-831… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| jgraph | jgraph/drawio |
Affected:
unspecified , < 18.0.4
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:16:58.957Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/jgraph/drawio/commit/4deecee18191f67e242422abf3ca304e19e49687"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/fded4835-bd49-4533-8311-1d71e0ed7c00"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "jgraph/drawio",
"vendor": "jgraph",
"versions": [
{
"lessThan": "18.0.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 18.0.4."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-19T13:55:12.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jgraph/drawio/commit/4deecee18191f67e242422abf3ca304e19e49687"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/fded4835-bd49-4533-8311-1d71e0ed7c00"
}
],
"source": {
"advisory": "fded4835-bd49-4533-8311-1d71e0ed7c00",
"discovery": "EXTERNAL"
},
"title": "Cross-site Scripting (XSS) - Stored in jgraph/drawio",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-1730",
"STATE": "PUBLIC",
"TITLE": "Cross-site Scripting (XSS) - Stored in jgraph/drawio"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "jgraph/drawio",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "18.0.4"
}
]
}
}
]
},
"vendor_name": "jgraph"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 18.0.4."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/jgraph/drawio/commit/4deecee18191f67e242422abf3ca304e19e49687",
"refsource": "MISC",
"url": "https://github.com/jgraph/drawio/commit/4deecee18191f67e242422abf3ca304e19e49687"
},
{
"name": "https://huntr.dev/bounties/fded4835-bd49-4533-8311-1d71e0ed7c00",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/fded4835-bd49-4533-8311-1d71e0ed7c00"
}
]
},
"source": {
"advisory": "fded4835-bd49-4533-8311-1d71e0ed7c00",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-1730",
"datePublished": "2022-05-19T13:55:12.000Z",
"dateReserved": "2022-05-16T00:00:00.000Z",
"dateUpdated": "2024-08-03T00:16:58.957Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-1774 (GCVE-0-2022-1774)
Vulnerability from cvelistv5 – Published: 2022-05-18 20:40 – Updated: 2024-08-03 00:16
VLAI
Title
Exposure of Sensitive Information to an Unauthorized Actor in jgraph/drawio
Summary
Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository jgraph/drawio prior to 18.0.7.
Severity
8.2 (High)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/jgraph/drawio/commit/c63f3a044… | x_refsource_MISC |
| https://huntr.dev/bounties/6ac07c49-bb7f-47b5-b36… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| jgraph | jgraph/drawio |
Affected:
unspecified , < 18.0.7
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:16:59.870Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/jgraph/drawio/commit/c63f3a04450f30798df47f9badbc74eb8a69fbdf"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/6ac07c49-bb7f-47b5-b361-33e6757b8757"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "jgraph/drawio",
"vendor": "jgraph",
"versions": [
{
"lessThan": "18.0.7",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository jgraph/drawio prior to 18.0.7."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-18T20:40:10.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jgraph/drawio/commit/c63f3a04450f30798df47f9badbc74eb8a69fbdf"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/6ac07c49-bb7f-47b5-b361-33e6757b8757"
}
],
"source": {
"advisory": "6ac07c49-bb7f-47b5-b361-33e6757b8757",
"discovery": "EXTERNAL"
},
"title": "Exposure of Sensitive Information to an Unauthorized Actor in jgraph/drawio",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-1774",
"STATE": "PUBLIC",
"TITLE": "Exposure of Sensitive Information to an Unauthorized Actor in jgraph/drawio"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "jgraph/drawio",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "18.0.7"
}
]
}
}
]
},
"vendor_name": "jgraph"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository jgraph/drawio prior to 18.0.7."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/jgraph/drawio/commit/c63f3a04450f30798df47f9badbc74eb8a69fbdf",
"refsource": "MISC",
"url": "https://github.com/jgraph/drawio/commit/c63f3a04450f30798df47f9badbc74eb8a69fbdf"
},
{
"name": "https://huntr.dev/bounties/6ac07c49-bb7f-47b5-b361-33e6757b8757",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/6ac07c49-bb7f-47b5-b361-33e6757b8757"
}
]
},
"source": {
"advisory": "6ac07c49-bb7f-47b5-b361-33e6757b8757",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-1774",
"datePublished": "2022-05-18T20:40:10.000Z",
"dateReserved": "2022-05-17T00:00:00.000Z",
"dateUpdated": "2024-08-03T00:16:59.870Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-1767 (GCVE-0-2022-1767)
Vulnerability from cvelistv5 – Published: 2022-05-18 15:45 – Updated: 2024-08-03 00:16
VLAI
Title
Server-Side Request Forgery (SSRF) in jgraph/drawio
Summary
Server-Side Request Forgery (SSRF) in GitHub repository jgraph/drawio prior to 18.0.7.
Severity
7.5 (High)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://huntr.dev/bounties/b1ce040c-9ed1-4d36-9b4… | x_refsource_CONFIRM |
| https://github.com/jgraph/drawio/commit/c63f3a044… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| jgraph | jgraph/drawio |
Affected:
unspecified , < 18.0.7
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:16:59.753Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/b1ce040c-9ed1-4d36-9b48-82df42310868"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/jgraph/drawio/commit/c63f3a04450f30798df47f9badbc74eb8a69fbdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "jgraph/drawio",
"vendor": "jgraph",
"versions": [
{
"lessThan": "18.0.7",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Server-Side Request Forgery (SSRF) in GitHub repository jgraph/drawio prior to 18.0.7."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-18T15:45:11.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/b1ce040c-9ed1-4d36-9b48-82df42310868"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jgraph/drawio/commit/c63f3a04450f30798df47f9badbc74eb8a69fbdf"
}
],
"source": {
"advisory": "b1ce040c-9ed1-4d36-9b48-82df42310868",
"discovery": "EXTERNAL"
},
"title": "Server-Side Request Forgery (SSRF) in jgraph/drawio",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-1767",
"STATE": "PUBLIC",
"TITLE": "Server-Side Request Forgery (SSRF) in jgraph/drawio"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "jgraph/drawio",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "18.0.7"
}
]
}
}
]
},
"vendor_name": "jgraph"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Server-Side Request Forgery (SSRF) in GitHub repository jgraph/drawio prior to 18.0.7."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-918 Server-Side Request Forgery (SSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/b1ce040c-9ed1-4d36-9b48-82df42310868",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/b1ce040c-9ed1-4d36-9b48-82df42310868"
},
{
"name": "https://github.com/jgraph/drawio/commit/c63f3a04450f30798df47f9badbc74eb8a69fbdf",
"refsource": "MISC",
"url": "https://github.com/jgraph/drawio/commit/c63f3a04450f30798df47f9badbc74eb8a69fbdf"
}
]
},
"source": {
"advisory": "b1ce040c-9ed1-4d36-9b48-82df42310868",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-1767",
"datePublished": "2022-05-18T15:45:11.000Z",
"dateReserved": "2022-05-17T00:00:00.000Z",
"dateUpdated": "2024-08-03T00:16:59.753Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-1727 (GCVE-0-2022-1727)
Vulnerability from cvelistv5 – Published: 2022-05-18 10:25 – Updated: 2024-08-03 00:16
VLAI
Title
Improper Input Validation in jgraph/drawio
Summary
Improper Input Validation in GitHub repository jgraph/drawio prior to 18.0.6.
Severity
8.3 (High)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://huntr.dev/bounties/b242e806-fc8c-41c0-aad… | x_refsource_CONFIRM |
| https://github.com/jgraph/drawio/commit/4deecee18… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| jgraph | jgraph/drawio |
Affected:
unspecified , < 18.0.6
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:16:58.942Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/b242e806-fc8c-41c0-aad7-e0c9c37ecdee"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/jgraph/drawio/commit/4deecee18191f67e242422abf3ca304e19e49687"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "jgraph/drawio",
"vendor": "jgraph",
"versions": [
{
"lessThan": "18.0.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper Input Validation in GitHub repository jgraph/drawio prior to 18.0.6."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-18T10:25:11.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/b242e806-fc8c-41c0-aad7-e0c9c37ecdee"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jgraph/drawio/commit/4deecee18191f67e242422abf3ca304e19e49687"
}
],
"source": {
"advisory": "b242e806-fc8c-41c0-aad7-e0c9c37ecdee",
"discovery": "EXTERNAL"
},
"title": "Improper Input Validation in jgraph/drawio",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-1727",
"STATE": "PUBLIC",
"TITLE": "Improper Input Validation in jgraph/drawio"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "jgraph/drawio",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "18.0.6"
}
]
}
}
]
},
"vendor_name": "jgraph"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Improper Input Validation in GitHub repository jgraph/drawio prior to 18.0.6."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-20 Improper Input Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/b242e806-fc8c-41c0-aad7-e0c9c37ecdee",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/b242e806-fc8c-41c0-aad7-e0c9c37ecdee"
},
{
"name": "https://github.com/jgraph/drawio/commit/4deecee18191f67e242422abf3ca304e19e49687",
"refsource": "MISC",
"url": "https://github.com/jgraph/drawio/commit/4deecee18191f67e242422abf3ca304e19e49687"
}
]
},
"source": {
"advisory": "b242e806-fc8c-41c0-aad7-e0c9c37ecdee",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-1727",
"datePublished": "2022-05-18T10:25:12.000Z",
"dateReserved": "2022-05-16T00:00:00.000Z",
"dateUpdated": "2024-08-03T00:16:58.942Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-1711 (GCVE-0-2022-1711)
Vulnerability from cvelistv5 – Published: 2022-05-17 12:40 – Updated: 2024-08-03 00:10
VLAI
Title
Server-Side Request Forgery (SSRF) in jgraph/drawio
Summary
Server-Side Request Forgery (SSRF) in GitHub repository jgraph/drawio prior to 18.0.5.
Severity
7.5 (High)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/jgraph/drawio/commit/cf5c78aa0… | x_refsource_MISC |
| https://huntr.dev/bounties/c32afff5-6ad5-4d4d-bee… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| jgraph | jgraph/drawio |
Affected:
unspecified , < 18.0.5
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:10:03.912Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/jgraph/drawio/commit/cf5c78aa0f3127fb10053db55b39f3017a0654ae"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/c32afff5-6ad5-4d4d-beea-f55ab4925797"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "jgraph/drawio",
"vendor": "jgraph",
"versions": [
{
"lessThan": "18.0.5",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Server-Side Request Forgery (SSRF) in GitHub repository jgraph/drawio prior to 18.0.5."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-17T12:40:09.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jgraph/drawio/commit/cf5c78aa0f3127fb10053db55b39f3017a0654ae"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/c32afff5-6ad5-4d4d-beea-f55ab4925797"
}
],
"source": {
"advisory": "c32afff5-6ad5-4d4d-beea-f55ab4925797",
"discovery": "EXTERNAL"
},
"title": "Server-Side Request Forgery (SSRF) in jgraph/drawio",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-1711",
"STATE": "PUBLIC",
"TITLE": "Server-Side Request Forgery (SSRF) in jgraph/drawio"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "jgraph/drawio",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "18.0.5"
}
]
}
}
]
},
"vendor_name": "jgraph"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Server-Side Request Forgery (SSRF) in GitHub repository jgraph/drawio prior to 18.0.5."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-918 Server-Side Request Forgery (SSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/jgraph/drawio/commit/cf5c78aa0f3127fb10053db55b39f3017a0654ae",
"refsource": "MISC",
"url": "https://github.com/jgraph/drawio/commit/cf5c78aa0f3127fb10053db55b39f3017a0654ae"
},
{
"name": "https://huntr.dev/bounties/c32afff5-6ad5-4d4d-beea-f55ab4925797",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/c32afff5-6ad5-4d4d-beea-f55ab4925797"
}
]
},
"source": {
"advisory": "c32afff5-6ad5-4d4d-beea-f55ab4925797",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-1711",
"datePublished": "2022-05-17T12:40:09.000Z",
"dateReserved": "2022-05-13T00:00:00.000Z",
"dateUpdated": "2024-08-03T00:10:03.912Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-1723 (GCVE-0-2022-1723)
Vulnerability from cvelistv5 – Published: 2022-05-17 08:35 – Updated: 2024-08-03 00:16
VLAI
Title
Server-Side Request Forgery (SSRF) in jgraph/drawio
Summary
Server-Side Request Forgery (SSRF) in GitHub repository jgraph/drawio prior to 18.0.6.
Severity
7.5 (High)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://huntr.dev/bounties/619851a4-2a08-4196-80e… | x_refsource_CONFIRM |
| https://github.com/jgraph/drawio/commit/7a68ebe22… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| jgraph | jgraph/drawio |
Affected:
unspecified , < 18.0.6
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:16:58.890Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/619851a4-2a08-4196-80e9-ab41953491d8"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/jgraph/drawio/commit/7a68ebe22a64fe722704e9c4527791209fee2034"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "jgraph/drawio",
"vendor": "jgraph",
"versions": [
{
"lessThan": "18.0.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Server-Side Request Forgery (SSRF) in GitHub repository jgraph/drawio prior to 18.0.6."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-17T08:35:10.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/619851a4-2a08-4196-80e9-ab41953491d8"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jgraph/drawio/commit/7a68ebe22a64fe722704e9c4527791209fee2034"
}
],
"source": {
"advisory": "619851a4-2a08-4196-80e9-ab41953491d8",
"discovery": "EXTERNAL"
},
"title": "Server-Side Request Forgery (SSRF) in jgraph/drawio",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-1723",
"STATE": "PUBLIC",
"TITLE": "Server-Side Request Forgery (SSRF) in jgraph/drawio"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "jgraph/drawio",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "18.0.6"
}
]
}
}
]
},
"vendor_name": "jgraph"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Server-Side Request Forgery (SSRF) in GitHub repository jgraph/drawio prior to 18.0.6."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-918 Server-Side Request Forgery (SSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/619851a4-2a08-4196-80e9-ab41953491d8",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/619851a4-2a08-4196-80e9-ab41953491d8"
},
{
"name": "https://github.com/jgraph/drawio/commit/7a68ebe22a64fe722704e9c4527791209fee2034",
"refsource": "MISC",
"url": "https://github.com/jgraph/drawio/commit/7a68ebe22a64fe722704e9c4527791209fee2034"
}
]
},
"source": {
"advisory": "619851a4-2a08-4196-80e9-ab41953491d8",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-1723",
"datePublished": "2022-05-17T08:35:10.000Z",
"dateReserved": "2022-05-15T00:00:00.000Z",
"dateUpdated": "2024-08-03T00:16:58.890Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-1713 (GCVE-0-2022-1713)
Vulnerability from cvelistv5 – Published: 2022-05-16 14:31 – Updated: 2024-08-03 00:10
VLAI
Title
SSRF on /proxy in jgraph/drawio
Summary
SSRF on /proxy in GitHub repository jgraph/drawio prior to 18.0.4. An attacker can make a request as the server and read its contents. This can lead to a leak of sensitive information.
Severity
7.5 (High)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://huntr.dev/bounties/cad3902f-3afb-4ed2-abd… | x_refsource_CONFIRM |
| https://github.com/jgraph/drawio/commit/283d41ec8… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| jgraph | jgraph/drawio |
Affected:
unspecified , < 18.0.4
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:10:03.954Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/cad3902f-3afb-4ed2-abd0-9f96a248de11"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/jgraph/drawio/commit/283d41ec80ad410d68634245cf56114bc19331ee"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "jgraph/drawio",
"vendor": "jgraph",
"versions": [
{
"lessThan": "18.0.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SSRF on /proxy in GitHub repository jgraph/drawio prior to 18.0.4. An attacker can make a request as the server and read its contents. This can lead to a leak of sensitive information."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-16T14:31:52.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/cad3902f-3afb-4ed2-abd0-9f96a248de11"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jgraph/drawio/commit/283d41ec80ad410d68634245cf56114bc19331ee"
}
],
"source": {
"advisory": "cad3902f-3afb-4ed2-abd0-9f96a248de11",
"discovery": "EXTERNAL"
},
"title": "SSRF on /proxy in jgraph/drawio",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-1713",
"STATE": "PUBLIC",
"TITLE": "SSRF on /proxy in jgraph/drawio"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "jgraph/drawio",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "18.0.4"
}
]
}
}
]
},
"vendor_name": "jgraph"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SSRF on /proxy in GitHub repository jgraph/drawio prior to 18.0.4. An attacker can make a request as the server and read its contents. This can lead to a leak of sensitive information."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-918 Server-Side Request Forgery (SSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/cad3902f-3afb-4ed2-abd0-9f96a248de11",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/cad3902f-3afb-4ed2-abd0-9f96a248de11"
},
{
"name": "https://github.com/jgraph/drawio/commit/283d41ec80ad410d68634245cf56114bc19331ee",
"refsource": "MISC",
"url": "https://github.com/jgraph/drawio/commit/283d41ec80ad410d68634245cf56114bc19331ee"
}
]
},
"source": {
"advisory": "cad3902f-3afb-4ed2-abd0-9f96a248de11",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-1713",
"datePublished": "2022-05-16T14:31:52.000Z",
"dateReserved": "2022-05-13T00:00:00.000Z",
"dateUpdated": "2024-08-03T00:10:03.954Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-1721 (GCVE-0-2022-1721)
Vulnerability from cvelistv5 – Published: 2022-05-16 14:31 – Updated: 2024-08-03 00:10
VLAI
Title
Path Traversal in WellKnownServlet in jgraph/drawio
Summary
Path Traversal in WellKnownServlet in GitHub repository jgraph/drawio prior to 18.0.5. Read local files of the web application.
Severity
7.5 (High)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://huntr.dev/bounties/000931cc-6d0e-4a4f-b4d… | x_refsource_CONFIRM |
| https://github.com/jgraph/drawio/commit/01ccb271d… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| jgraph | jgraph/drawio |
Affected:
unspecified , < 18.0.5
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:10:03.857Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/000931cc-6d0e-4a4f-b4d8-4ba46ba0e699"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/jgraph/drawio/commit/01ccb271d34258872b859c0fc1d253cc81341917"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "jgraph/drawio",
"vendor": "jgraph",
"versions": [
{
"lessThan": "18.0.5",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Path Traversal in WellKnownServlet in GitHub repository jgraph/drawio prior to 18.0.5. Read local files of the web application."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-16T14:31:26.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/000931cc-6d0e-4a4f-b4d8-4ba46ba0e699"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jgraph/drawio/commit/01ccb271d34258872b859c0fc1d253cc81341917"
}
],
"source": {
"advisory": "000931cc-6d0e-4a4f-b4d8-4ba46ba0e699",
"discovery": "EXTERNAL"
},
"title": "Path Traversal in WellKnownServlet in jgraph/drawio",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-1721",
"STATE": "PUBLIC",
"TITLE": "Path Traversal in WellKnownServlet in jgraph/drawio"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "jgraph/drawio",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "18.0.5"
}
]
}
}
]
},
"vendor_name": "jgraph"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Path Traversal in WellKnownServlet in GitHub repository jgraph/drawio prior to 18.0.5. Read local files of the web application."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/000931cc-6d0e-4a4f-b4d8-4ba46ba0e699",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/000931cc-6d0e-4a4f-b4d8-4ba46ba0e699"
},
{
"name": "https://github.com/jgraph/drawio/commit/01ccb271d34258872b859c0fc1d253cc81341917",
"refsource": "MISC",
"url": "https://github.com/jgraph/drawio/commit/01ccb271d34258872b859c0fc1d253cc81341917"
}
]
},
"source": {
"advisory": "000931cc-6d0e-4a4f-b4d8-4ba46ba0e699",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-1721",
"datePublished": "2022-05-16T14:31:26.000Z",
"dateReserved": "2022-05-15T00:00:00.000Z",
"dateUpdated": "2024-08-03T00:10:03.857Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-1722 (GCVE-0-2022-1722)
Vulnerability from cvelistv5 – Published: 2022-05-16 14:31 – Updated: 2024-08-03 00:10
VLAI
Title
SSRF in editor's proxy via IPv6 link-local address in jgraph/drawio
Summary
SSRF in editor's proxy via IPv6 link-local address in GitHub repository jgraph/drawio prior to 18.0.5. SSRF to internal link-local IPv6 addresses
Severity
7.5 (High)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://huntr.dev/bounties/c903d563-ba97-44e9-b42… | x_refsource_CONFIRM |
| https://github.com/jgraph/drawio/commit/cf5c78aa0… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| jgraph | jgraph/drawio |
Affected:
unspecified , < 18.0.5
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:10:03.906Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/c903d563-ba97-44e9-b421-22bfab1e0cbd"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/jgraph/drawio/commit/cf5c78aa0f3127fb10053db55b39f3017a0654ae"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "jgraph/drawio",
"vendor": "jgraph",
"versions": [
{
"lessThan": "18.0.5",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SSRF in editor\u0027s proxy via IPv6 link-local address in GitHub repository jgraph/drawio prior to 18.0.5. SSRF to internal link-local IPv6 addresses"
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-16T14:31:21.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/c903d563-ba97-44e9-b421-22bfab1e0cbd"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jgraph/drawio/commit/cf5c78aa0f3127fb10053db55b39f3017a0654ae"
}
],
"source": {
"advisory": "c903d563-ba97-44e9-b421-22bfab1e0cbd",
"discovery": "EXTERNAL"
},
"title": "SSRF in editor\u0027s proxy via IPv6 link-local address in jgraph/drawio",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-1722",
"STATE": "PUBLIC",
"TITLE": "SSRF in editor\u0027s proxy via IPv6 link-local address in jgraph/drawio"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "jgraph/drawio",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "18.0.5"
}
]
}
}
]
},
"vendor_name": "jgraph"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SSRF in editor\u0027s proxy via IPv6 link-local address in GitHub repository jgraph/drawio prior to 18.0.5. SSRF to internal link-local IPv6 addresses"
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-918 Server-Side Request Forgery (SSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/c903d563-ba97-44e9-b421-22bfab1e0cbd",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/c903d563-ba97-44e9-b421-22bfab1e0cbd"
},
{
"name": "https://github.com/jgraph/drawio/commit/cf5c78aa0f3127fb10053db55b39f3017a0654ae",
"refsource": "MISC",
"url": "https://github.com/jgraph/drawio/commit/cf5c78aa0f3127fb10053db55b39f3017a0654ae"
}
]
},
"source": {
"advisory": "c903d563-ba97-44e9-b421-22bfab1e0cbd",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-1722",
"datePublished": "2022-05-16T14:31:21.000Z",
"dateReserved": "2022-05-15T00:00:00.000Z",
"dateUpdated": "2024-08-03T00:10:03.906Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-1575 (GCVE-0-2022-1575)
Vulnerability from cvelistv5 – Published: 2022-05-05 11:45 – Updated: 2024-08-03 00:10
VLAI
Title
Arbitrary Code Execution through Sanitizer Bypass in jgraph/drawio
Summary
Arbitrary Code Execution through Sanitizer Bypass in GitHub repository jgraph/drawio prior to 18.0.0. - Arbitrary (remote) code execution in the desktop app. - Stored XSS in the web app.
Severity
9.6 (Critical)
CWE
- CWE-94 - Improper Control of Generation of Code
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://huntr.dev/bounties/033d3423-eb05-4b53-a74… | x_refsource_CONFIRM |
| https://github.com/jgraph/drawio/commit/f768ed738… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| jgraph | jgraph/drawio |
Affected:
unspecified , < 18.0.0
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:10:03.557Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/033d3423-eb05-4b53-a747-1bfcba873127"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/jgraph/drawio/commit/f768ed73875d5eca20110b9c1d72f2789cd1bab7"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "jgraph/drawio",
"vendor": "jgraph",
"versions": [
{
"lessThan": "18.0.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Arbitrary Code Execution through Sanitizer Bypass in GitHub repository jgraph/drawio prior to 18.0.0. - Arbitrary (remote) code execution in the desktop app. - Stored XSS in the web app."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-05T11:45:12.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/033d3423-eb05-4b53-a747-1bfcba873127"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jgraph/drawio/commit/f768ed73875d5eca20110b9c1d72f2789cd1bab7"
}
],
"source": {
"advisory": "033d3423-eb05-4b53-a747-1bfcba873127",
"discovery": "EXTERNAL"
},
"title": "Arbitrary Code Execution through Sanitizer Bypass in jgraph/drawio",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-1575",
"STATE": "PUBLIC",
"TITLE": "Arbitrary Code Execution through Sanitizer Bypass in jgraph/drawio"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "jgraph/drawio",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "18.0.0"
}
]
}
}
]
},
"vendor_name": "jgraph"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Arbitrary Code Execution through Sanitizer Bypass in GitHub repository jgraph/drawio prior to 18.0.0. - Arbitrary (remote) code execution in the desktop app. - Stored XSS in the web app."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-94 Improper Control of Generation of Code"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/033d3423-eb05-4b53-a747-1bfcba873127",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/033d3423-eb05-4b53-a747-1bfcba873127"
},
{
"name": "https://github.com/jgraph/drawio/commit/f768ed73875d5eca20110b9c1d72f2789cd1bab7",
"refsource": "MISC",
"url": "https://github.com/jgraph/drawio/commit/f768ed73875d5eca20110b9c1d72f2789cd1bab7"
}
]
},
"source": {
"advisory": "033d3423-eb05-4b53-a747-1bfcba873127",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-1575",
"datePublished": "2022-05-05T11:45:12.000Z",
"dateReserved": "2022-05-04T00:00:00.000Z",
"dateUpdated": "2024-08-03T00:10:03.557Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-13127 (GCVE-0-2019-13127)
Vulnerability from cvelistv5 – Published: 2019-07-01 14:33 – Updated: 2024-08-04 23:41
VLAI
Summary
An issue was discovered in mxGraph through 4.0.0, related to the "draw.io Diagrams" plugin before 8.3.14 for Confluence and other products. Improper input validation/sanitization of a color field leads to XSS. This is associated with javascript/examples/grapheditor/www/js/Dialogs.js.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://marketplace.atlassian.com/apps/1210933/dr… | x_refsource_MISC |
| https://www.syss.de/fileadmin/dokumente/Publikati… | x_refsource_MISC |
| https://github.com/jgraph/mxgraph/commit/76e8e280… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T23:41:10.458Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://marketplace.atlassian.com/apps/1210933/draw-io-diagrams-for-confluence/version-history"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2019-032.txt"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/jgraph/mxgraph/commit/76e8e2809b622659a9c5ffdc4f19922b7a68cfa3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in mxGraph through 4.0.0, related to the \"draw.io Diagrams\" plugin before 8.3.14 for Confluence and other products. Improper input validation/sanitization of a color field leads to XSS. This is associated with javascript/examples/grapheditor/www/js/Dialogs.js."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-07-01T14:33:36.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://marketplace.atlassian.com/apps/1210933/draw-io-diagrams-for-confluence/version-history"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2019-032.txt"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jgraph/mxgraph/commit/76e8e2809b622659a9c5ffdc4f19922b7a68cfa3"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-13127",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in mxGraph through 4.0.0, related to the \"draw.io Diagrams\" plugin before 8.3.14 for Confluence and other products. Improper input validation/sanitization of a color field leads to XSS. This is associated with javascript/examples/grapheditor/www/js/Dialogs.js."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://marketplace.atlassian.com/apps/1210933/draw-io-diagrams-for-confluence/version-history",
"refsource": "MISC",
"url": "https://marketplace.atlassian.com/apps/1210933/draw-io-diagrams-for-confluence/version-history"
},
{
"name": "https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2019-032.txt",
"refsource": "MISC",
"url": "https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2019-032.txt"
},
{
"name": "https://github.com/jgraph/mxgraph/commit/76e8e2809b622659a9c5ffdc4f19922b7a68cfa3",
"refsource": "MISC",
"url": "https://github.com/jgraph/mxgraph/commit/76e8e2809b622659a9c5ffdc4f19922b7a68cfa3"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-13127",
"datePublished": "2019-07-01T14:33:36.000Z",
"dateReserved": "2019-07-01T00:00:00.000Z",
"dateUpdated": "2024-08-04T23:41:10.458Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}