First published: Wed Apr 17 2024(Updated: )
### Summary A stored XSS vulnerability in Excalidraw's web embeddable component. This allows arbitrary JavaScript to be run in the context of the domain where the editor is hosted. ### Poc Inserting an embed with the below url (can be copy/pasted onto canvas to insert as embed) will log `42` to the console: ``` https://gist.github.com/vv=v<script>console.log(42)</script> ``` ### Details There were two vectors. One rendering untrusted string as iframe's `srcdoc` without properly sanitizing against HTML injection. Second by improperly sanitizing against attribute HTML injection. This in conjunction with allowing `allow-same-origin` sandbox flag (necessary for several embeds) resulted in the XSS. Former was fixed by no longer rendering unsafe `srcdoc` content verbatim, and instead strictly parsing the supplied content and constructing the `srcdoc` manually. The latter by sanitizing properly. The `allow-same-origin` flag is now also set only in cases that require it, following the principle of least privilege. ### Impact This is a cross site scripting vulnerability, for more information, please see: https://portswigger.net/web-security/cross-site-scripting Two npm `@excalidraw/excalidraw` stable version releases were affected (`0.16.x`, `0.17.x`), and both are now patched.
Credit: security-advisories@github.com security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
npm/@excalidraw/excalidraw | >=0.17.0<0.17.6 | 0.17.6 |
npm/@excalidraw/excalidraw | >=0.16.0<0.16.4 | 0.16.4 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.