Stored XSS on drawio in jgraph/drawio

Valid

Reported on

May 15th 2022


Sumary

Draw io has a feature to put links on a text, due to a bad sanitization it allows to put javascript:// scheme on a anchor tag which allows to execute javascript code

Steps to reproduce

  1. Create a text box and set word size to 50
  2. Click with the rigth button and "Edit link"
  3. Put asdf://test.com
  4. Click with the rigth button again and "Edit data"
  5. On the "link" attribute put javascript:javascript://%0aalert(document.domain)
  6. Export the page as URL
  7. Click on the link

Impact

It also affects confluence as its available as an app on the marketplace, POC video: https://youtu.be/RHevZOx1nhc

We are processing your report and will contact the jgraph/drawio team within 24 hours. a month ago
David Benson validated this vulnerability a month ago
Joao Vitor Maia has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
David Benson gave praise a month ago
Thank you for correctly scoring the fix initially. There's many attempts to simply score everything as critical, we do remember when researchers score professionally.
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
David Benson confirmed that a fix has been merged on 4deece a month ago
The fix bounty has been dropped
Joao Vitor Maia
a month ago

Researcher


Appreciate that!

to join this conversation