Stored XSS on drawio in jgraph/drawio


Reported on

May 15th 2022


Draw io has a feature to put links on a text, due to a bad sanitization it allows to put javascript:// scheme on a anchor tag which allows to execute javascript code

Steps to reproduce

  1. Create a text box and set word size to 50
  2. Click with the rigth button and "Edit link"
  3. Put asdf://
  4. Click with the rigth button again and "Edit data"
  5. On the "link" attribute put javascript:javascript://%0aalert(document.domain)
  6. Export the page as URL
  7. Click on the link


It also affects confluence as its available as an app on the marketplace, POC video:

We are processing your report and will contact the jgraph/drawio team within 24 hours. a year ago
David Benson validated this vulnerability a year ago
Joao Vitor Maia has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
David Benson gave praise a year ago
Thank you for correctly scoring the fix initially. There's many attempts to simply score everything as critical, we do remember when researchers score professionally.
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
David Benson marked this as fixed in 18.0.4 with commit 4deece a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
Joao Vitor Maia
a year ago


Appreciate that!

to join this conversation