Arbitrary Code Execution through Sanitizer Bypass in jgraph/drawio
CVE-2022-1575

9.6CRITICAL

Key Information:

Vendor: Jgraph
Status: Jgraph/drawio
Vendor: CVE Published:; 5 May 2022

What is CVE-2022-1575?

Arbitrary Code Execution through Sanitizer Bypass in GitHub repository jgraph/drawio prior to 18.0.0. - Arbitrary (remote) code execution in the desktop app. - Stored XSS in the web app.

Affected Version(s)

jgraph/drawio < 18.0.0

References

https://huntr.dev/bounties/033d3423-eb05-4b53-a747-1bfcba...

x_refsource_CONFIRM

https://github.com/jgraph/drawio/commit/f768ed73875d5eca2...

x_refsource_MISC

CVSS V3.1

Score:

9.6

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

CVSS V3.0

Score:

9.6

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 5, 2022
Vulnerability Reserved
May 4, 2022

CVE-2022-1575 Data

JSON

Jgraph

What is CVE-2022-1575?

Affected Version(s)

References

CVSS V3.1

CVSS V3.0

Timeline