CVE-2019-13127 – mxgraph

Package

Manager: npm
Name: mxgraph
Vulnerable Version: >=0 <4.0.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00332 pctl0.55424

Details

mxGraph vulnerable to cross-site scripting in color field mxGraph through 4.0.0, related to the [draw.io Diagrams](https://github.com/jgraph/drawio) plugin before 8.3.14 for Confluence and other products, is vulnerable to cross-site scripting. draw.io Diagrams allows the creation and editing of draw.io-based diagrams in Confluence. Among other things, it allows to set the background color of text displayed in the diagram. The color provided by the user is notproperly sanitized, leading to HTML and JavaScript code to be displayed "as it is" to visitors of the page. This allows attackers to execute JavaScript code in the context of the visitor's browser and session and to e.g. run Confluence command under the visitor's user or attack the visitor's browser. **Proof of Concept (PoC):** 1. Create a new draw.io Diagram, add an element and edit its background color and enter some text to the element 2. Enter the following "color": `onMouseOver=alert(1) a=` 3. Save and view the resulting diagram, moving your mouse over the text

Metadata

Created: 2022-05-24T16:49:07Z
Modified: 2023-10-19T18:54:37Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-xm59-jvxm-cp3v/GHSA-xm59-jvxm-cp3v.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-xm59-jvxm-cp3v
Finding: F425
Auto approve: 1