CVE-2024-32472 – @excalidraw/excalidraw

Package

Manager: npm
Name: @excalidraw/excalidraw
Vulnerable Version: >=0.16.0 <0.16.4 || >=0.17.0 <0.17.6

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00245 pctl0.4769

Details

Stored Cross-site Scripting (XSS) in excalidraw's web embed component ### Summary A stored XSS vulnerability in Excalidraw's web embeddable component. This allows arbitrary JavaScript to be run in the context of the domain where the editor is hosted. ### Poc Inserting an embed with the below url (can be copy/pasted onto canvas to insert as embed) will log `42` to the console: ``` https://gist.github.com/vv=v<script>console.log(42)</script> ``` ### Details There were two vectors. One rendering untrusted string as iframe's `srcdoc` without properly sanitizing against HTML injection. Second by improperly sanitizing against attribute HTML injection. This in conjunction with allowing `allow-same-origin` sandbox flag (necessary for several embeds) resulted in the XSS. Former was fixed by no longer rendering unsafe `srcdoc` content verbatim, and instead strictly parsing the supplied content and constructing the `srcdoc` manually. The latter by sanitizing properly. The `allow-same-origin` flag is now also set only in cases that require it, following the principle of least privilege. ### Impact This is a cross site scripting vulnerability, for more information, please see: https://portswigger.net/web-security/cross-site-scripting Two npm `@excalidraw/excalidraw` stable version releases were affected (`0.16.x`, `0.17.x`), and both are now patched.

Metadata

Created: 2024-04-17T21:32:57Z
Modified: 2024-04-18T00:31:04Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-m64q-4jqh-f72f/GHSA-m64q-4jqh-f72f.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-m64q-4jqh-f72f
Finding: F425
Auto approve: 1