OS Command Injection in jgraph/drawio
CVE-2023-3974

9.6CRITICAL

Key Information:

Vendor: Jgraph
Status: Jgraph/drawio
Vendor: CVE Published:; 27 July 2023

What is CVE-2023-3974?

The jgraph/drawio project is susceptible to an OS command injection vulnerability, allowing attackers to execute arbitrary commands on the host operating system. This vulnerability affects all versions prior to 21.4.0, posing significant security risks for users who rely on this tool for diagramming and collaboration. Attackers can exploit this flaw to gain unauthorized access and manipulate system commands, potentially leading to data breaches and further exploits. It is crucial to upgrade to the latest version to mitigate these risks effectively.

Affected Version(s)

jgraph/drawio < 21.4.0

References

https://huntr.dev/bounties/ce75aa04-e4d6-4e0a-9db0-ae84c4...

https://github.com/jgraph/drawio/commit/9d6532de36496e77d...

CVSS V3.1

Score:

9.6

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 27, 2023
Vulnerability Reserved
Jul 27, 2023

CVE-2023-3974 Data

JSON

Jgraph

What is CVE-2023-3974?

Affected Version(s)

References

CVSS V3.1

Timeline