OS Command Injection in jgraph/drawio
CVE-2023-3975

8.3HIGH

Key Information:

Vendor: Jgraph
Status: Jgraph/drawio
Vendor: CVE Published:; 27 July 2023

What is CVE-2023-3975?

An OS Command Injection vulnerability affects JGraph's Draw.io product, specifically in versions prior to 21.5.0. This security issue allows an attacker to execute arbitrary commands on the server. The flaw arises from improper handling of user input, which can be manipulated to include malicious commands. Users are encouraged to update to the latest version to mitigate this risk. Details and fixes for this vulnerability can be found in the official GitHub repository.

Affected Version(s)

jgraph/drawio < 21.5.0

References

https://huntr.dev/bounties/4da96d20-78ac-462e-910c-a14db9...

https://github.com/jgraph/drawio/commit/8ec95cb03e0a80cf9...

CVSS V3.1

Score:

8.3

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 27, 2023
Vulnerability Reserved
Jul 27, 2023

CVE-2023-3975 Data

JSON

Jgraph

What is CVE-2023-3975?

Affected Version(s)

References

CVSS V3.1

Timeline