GHSA-XM59-JVXM-CP3V

Vulnerability from github – Published: 2022-05-24 16:49 – Updated: 2023-10-19 18:54
VLAI?
Summary
mxGraph vulnerable to cross-site scripting in color field
Details

mxGraph through 4.0.0, related to the draw.io Diagrams plugin before 8.3.14 for Confluence and other products, is vulnerable to cross-site scripting. draw.io Diagrams allows the creation and editing of draw.io-based diagrams in Confluence. Among other things, it allows to set the background color of text displayed in the diagram. The color provided by the user is notproperly sanitized, leading to HTML and JavaScript code to be displayed "as it is" to visitors of the page. This allows attackers to execute JavaScript code in the context of the visitor's browser and session and to e.g. run Confluence command under the visitor's user or attack the visitor's browser.

Proof of Concept (PoC):

  1. Create a new draw.io Diagram, add an element and edit its background color and enter some text to the element
  2. Enter the following "color": onMouseOver=alert(1) a=
  3. Save and view the resulting diagram, moving your mouse over the text
Severity ?
6.1 (Medium)
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.0.0"
      },
      "package": {
        "ecosystem": "npm",
        "name": "mxgraph"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-13127"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-10-19T18:54:37Z",
    "nvd_published_at": "2019-07-01T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "mxGraph through 4.0.0, related to the [draw.io Diagrams](https://github.com/jgraph/drawio) plugin before 8.3.14 for Confluence and other products, is vulnerable to cross-site scripting. draw.io Diagrams allows the creation and editing of draw.io-based diagrams in Confluence. Among other things, it allows to set the background color of text displayed in the diagram. The color provided by the user is notproperly sanitized, leading to HTML and JavaScript code to be displayed \"as it is\" to visitors of the page. This allows attackers to execute JavaScript code in the context of the visitor\u0027s browser and session and to e.g. run Confluence command under the visitor\u0027s user or attack the visitor\u0027s browser.\n\n**Proof of Concept (PoC):**\n\n1. Create a new draw.io Diagram, add an element and edit its background color and enter some text to the element\n2. Enter the following \"color\": `onMouseOver=alert(1) a=`\n3. Save and view the resulting diagram, moving your mouse over the text",
  "id": "GHSA-xm59-jvxm-cp3v",
  "modified": "2023-10-19T18:54:37Z",
  "published": "2022-05-24T16:49:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-13127"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jgraph/mxgraph/commit/76e8e2809b622659a9c5ffdc4f19922b7a68cfa3"
    },
    {
      "type": "WEB",
      "url": "https://marketplace.atlassian.com/apps/1210933/draw-io-diagrams-for-confluence/version-history"
    },
    {
      "type": "WEB",
      "url": "https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2019-032.txt"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "mxGraph vulnerable to cross-site scripting in color field"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.