XSS and CSP bypass in app.diagrams.net in jgraph/drawio


Reported on

Nov 4th 2022


The application reflects an input from the url without sanitizing it. With a csp bypass from apis.google.com its possible to execute javascript code.

Proof of Concept



XSS, Phishing


A fix would be use mxUtils.htmlEntities(var), as it used in other places

We are processing your report and will contact the jgraph/drawio team within 24 hours. a year ago
David Benson validated this vulnerability a year ago

Another good catch

Joao Vitor Maia has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
David Benson marked this as fixed in 20.5.2 with commit d37894 a year ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
tickets.js#L83 has been validated
David Benson published this vulnerability a year ago
to join this conversation