Cross-site Scripting (XSS) - Reflected in jgraph/drawio
CVE-2023-3973

9.6CRITICAL

Key Information:

Vendor

Jgraph

Status
Jgraph/drawio
Vendor
CVE Published:
27 July 2023

What is CVE-2023-3973?

A reflected Cross-site Scripting (XSS) vulnerability exists in Drawio versions prior to 21.6.3, allowing malicious actors to inject and execute arbitrary scripts in the context of a user's browser session. This exploitation could lead to unauthorized actions or data exposure for users interacting with the affected application, putting their sensitive information at risk.

Affected Version(s)

jgraph/drawio < 21.6.3

References

https://huntr.dev/bounties/4c1c5db5-210f-4d7e-8380-b95f88...
https://github.com/jgraph/drawio/commit/1db2c2c653aa245d1...

CVSS V3.1

Score:
9.6
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.