Search

Find a vulnerability

Search criteria

    52 vulnerabilities found for jgraph/drawio by jgraph

    CVE-2023-3975 (GCVE-0-2023-3975)

    Vulnerability from nvd – Published: 2023-07-27 14:34 – Updated: 2024-10-15 15:32
    VLAI
    Title
    OS Command Injection in jgraph/drawio
    Summary
    OS Command Injection in GitHub repository jgraph/drawio prior to 21.5.0.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-78 - Improper Neutralization of Special Elements used in an OS Command
    Assigner
    Impacted products
    Vendor Product Version
    jgraph jgraph/drawio Affected: unspecified , < 21.5.0 (custom)
    Create a notification for this product.
    jgraph drawio Affected: 0 , < 21.5.0 (custom)
        cpe:2.3:a:jgraph:drawio:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T07:08:50.850Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://huntr.dev/bounties/4da96d20-78ac-462e-910c-a14db9062161"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/jgraph/drawio/commit/8ec95cb03e0a80cf908a282522ac1651306db340"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:jgraph:drawio:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "drawio",
                "vendor": "jgraph",
                "versions": [
                  {
                    "lessThan": "21.5.0",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-3975",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-15T15:03:26.147244Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-15T15:32:40.165Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "jgraph/drawio",
              "vendor": "jgraph",
              "versions": [
                {
                  "lessThan": "21.5.0",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "OS Command Injection in GitHub repository jgraph/drawio prior to 21.5.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.3,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-78",
                  "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-07-27T14:34:10.847Z",
            "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
            "shortName": "@huntrdev"
          },
          "references": [
            {
              "url": "https://huntr.dev/bounties/4da96d20-78ac-462e-910c-a14db9062161"
            },
            {
              "url": "https://github.com/jgraph/drawio/commit/8ec95cb03e0a80cf908a282522ac1651306db340"
            }
          ],
          "source": {
            "advisory": "4da96d20-78ac-462e-910c-a14db9062161",
            "discovery": "EXTERNAL"
          },
          "title": "OS Command Injection in jgraph/drawio"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "assignerShortName": "@huntrdev",
        "cveId": "CVE-2023-3975",
        "datePublished": "2023-07-27T14:34:10.847Z",
        "dateReserved": "2023-07-27T14:34:05.900Z",
        "dateUpdated": "2024-10-15T15:32:40.165Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-3974 (GCVE-0-2023-3974)

    Vulnerability from nvd – Published: 2023-07-27 14:33 – Updated: 2024-10-15 15:36
    VLAI
    Title
    OS Command Injection in jgraph/drawio
    Summary
    OS Command Injection in GitHub repository jgraph/drawio prior to 21.4.0.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-78 - Improper Neutralization of Special Elements used in an OS Command
    Assigner
    Impacted products
    Vendor Product Version
    jgraph jgraph/drawio Affected: unspecified , < 21.4.0 (custom)
    Create a notification for this product.
    jgraph drawio Affected: 0 , < 21.4.0 (custom)
        cpe:2.3:a:jgraph:drawio:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T07:08:50.876Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://huntr.dev/bounties/ce75aa04-e4d6-4e0a-9db0-ae84c46ae9e2"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/jgraph/drawio/commit/9d6532de36496e77d872d91b1947bb696607d623"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:jgraph:drawio:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "drawio",
                "vendor": "jgraph",
                "versions": [
                  {
                    "lessThan": "21.4.0",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-3974",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-15T15:03:43.684638Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-15T15:36:08.407Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "jgraph/drawio",
              "vendor": "jgraph",
              "versions": [
                {
                  "lessThan": "21.4.0",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "OS Command Injection in GitHub repository jgraph/drawio prior to 21.4.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.6,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-78",
                  "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-07-27T14:33:31.671Z",
            "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
            "shortName": "@huntrdev"
          },
          "references": [
            {
              "url": "https://huntr.dev/bounties/ce75aa04-e4d6-4e0a-9db0-ae84c46ae9e2"
            },
            {
              "url": "https://github.com/jgraph/drawio/commit/9d6532de36496e77d872d91b1947bb696607d623"
            }
          ],
          "source": {
            "advisory": "ce75aa04-e4d6-4e0a-9db0-ae84c46ae9e2",
            "discovery": "EXTERNAL"
          },
          "title": "OS Command Injection in jgraph/drawio"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "assignerShortName": "@huntrdev",
        "cveId": "CVE-2023-3974",
        "datePublished": "2023-07-27T14:33:31.671Z",
        "dateReserved": "2023-07-27T14:33:26.406Z",
        "dateUpdated": "2024-10-15T15:36:08.407Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-3973 (GCVE-0-2023-3973)

    Vulnerability from nvd – Published: 2023-07-27 14:33 – Updated: 2024-10-15 15:36
    VLAI
    Title
    Cross-site Scripting (XSS) - Reflected in jgraph/drawio
    Summary
    Cross-site Scripting (XSS) - Reflected in GitHub repository jgraph/drawio prior to 21.6.3.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    jgraph jgraph/drawio Affected: unspecified , < 21.6.3 (custom)
    Create a notification for this product.
    jgraph drawio Affected: 0 , < 21.6.3 (custom)
        cpe:2.3:a:jgraph:drawio:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T07:08:50.699Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://huntr.dev/bounties/4c1c5db5-210f-4d7e-8380-b95f88fdb78d"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/jgraph/drawio/commit/1db2c2c653aa245d175d30c210239e3946bfcb95"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:jgraph:drawio:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "drawio",
                "vendor": "jgraph",
                "versions": [
                  {
                    "lessThan": "21.6.3",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-3973",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-15T15:04:11.770958Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-15T15:36:46.194Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "jgraph/drawio",
              "vendor": "jgraph",
              "versions": [
                {
                  "lessThan": "21.6.3",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Cross-site Scripting (XSS) - Reflected in GitHub repository jgraph/drawio prior to 21.6.3."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 9.6,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-07-27T14:33:11.271Z",
            "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
            "shortName": "@huntrdev"
          },
          "references": [
            {
              "url": "https://huntr.dev/bounties/4c1c5db5-210f-4d7e-8380-b95f88fdb78d"
            },
            {
              "url": "https://github.com/jgraph/drawio/commit/1db2c2c653aa245d175d30c210239e3946bfcb95"
            }
          ],
          "source": {
            "advisory": "4c1c5db5-210f-4d7e-8380-b95f88fdb78d",
            "discovery": "EXTERNAL"
          },
          "title": "Cross-site Scripting (XSS) - Reflected in jgraph/drawio"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "assignerShortName": "@huntrdev",
        "cveId": "CVE-2023-3973",
        "datePublished": "2023-07-27T14:33:11.271Z",
        "dateReserved": "2023-07-27T14:32:56.314Z",
        "dateUpdated": "2024-10-15T15:36:46.194Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-3398 (GCVE-0-2023-3398)

    Vulnerability from nvd – Published: 2023-06-26 10:05 – Updated: 2024-12-03 18:47
    VLAI
    Title
    Denial of Service in jgraph/drawio
    Summary
    Denial of Service in GitHub repository jgraph/drawio prior to 18.1.3.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    Impacted products
    Vendor Product Version
    jgraph jgraph/drawio Affected: unspecified , < 18.1.3 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T06:55:03.225Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://huntr.dev/bounties/aa087215-80e1-433d-b870-650705630e69"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/jgraph/drawio/commit/064729fec4262f9373d9fdcafda0be47cd18dd50"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-3398",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-12-03T18:44:34.481992Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-12-03T18:47:29.317Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "jgraph/drawio",
              "vendor": "jgraph",
              "versions": [
                {
                  "lessThan": "18.1.3",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Denial of Service in GitHub repository jgraph/drawio prior to 18.1.3."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "CWE-400 Uncontrolled Resource Consumption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-06-26T10:05:09.278Z",
            "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
            "shortName": "@huntrdev"
          },
          "references": [
            {
              "url": "https://huntr.dev/bounties/aa087215-80e1-433d-b870-650705630e69"
            },
            {
              "url": "https://github.com/jgraph/drawio/commit/064729fec4262f9373d9fdcafda0be47cd18dd50"
            }
          ],
          "source": {
            "advisory": "aa087215-80e1-433d-b870-650705630e69",
            "discovery": "EXTERNAL"
          },
          "title": "Denial of Service in jgraph/drawio"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "assignerShortName": "@huntrdev",
        "cveId": "CVE-2023-3398",
        "datePublished": "2023-06-26T10:05:09.278Z",
        "dateReserved": "2023-06-26T10:04:56.783Z",
        "dateUpdated": "2024-12-03T18:47:29.317Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-3026 (GCVE-0-2023-3026)

    Vulnerability from nvd – Published: 2023-06-01 00:00 – Updated: 2025-01-10 18:55
    VLAI
    Title
    Cross-site Scripting (XSS) - Stored in jgraph/drawio
    Summary
    Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 21.2.8.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    jgraph jgraph/drawio Affected: unspecified , < 21.2.8 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T06:41:04.335Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://huntr.dev/bounties/9bbcc127-1e69-4c88-b318-d2afef48eff0"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/jgraph/drawio/commit/c7ac634055c3edfabc7729fc4298a5ab7bfbf384"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-3026",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-10T18:55:51.968547Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-01-10T18:55:55.645Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://huntr.com/bounties/9bbcc127-1e69-4c88-b318-d2afef48eff0"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "jgraph/drawio",
              "vendor": "jgraph",
              "versions": [
                {
                  "lessThan": "21.2.8",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 21.2.8."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-06-01T00:00:00.000Z",
            "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
            "shortName": "@huntrdev"
          },
          "references": [
            {
              "url": "https://huntr.dev/bounties/9bbcc127-1e69-4c88-b318-d2afef48eff0"
            },
            {
              "url": "https://github.com/jgraph/drawio/commit/c7ac634055c3edfabc7729fc4298a5ab7bfbf384"
            }
          ],
          "source": {
            "advisory": "9bbcc127-1e69-4c88-b318-d2afef48eff0",
            "discovery": "EXTERNAL"
          },
          "title": "Cross-site Scripting (XSS) - Stored in jgraph/drawio"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "assignerShortName": "@huntrdev",
        "cveId": "CVE-2023-3026",
        "datePublished": "2023-06-01T00:00:00.000Z",
        "dateReserved": "2023-06-01T00:00:00.000Z",
        "dateUpdated": "2025-01-10T18:55:55.645Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-3873 (GCVE-0-2022-3873)

    Vulnerability from nvd – Published: 2022-11-07 00:00 – Updated: 2025-05-01 17:59
    VLAI
    Title
    Cross-site Scripting (XSS) - DOM in jgraph/drawio
    Summary
    Cross-site Scripting (XSS) - DOM in GitHub repository jgraph/drawio prior to 20.5.2.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    jgraph jgraph/drawio Affected: unspecified , < 20.5.2 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T01:20:58.575Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://huntr.dev/bounties/52a4085e-b687-489b-9ed6-f0987583ed77"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/jgraph/drawio/commit/d37894baf125430e85840c2635563b10d1a6523d"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-3873",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-01T17:55:24.006232Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-01T17:59:19.909Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "jgraph/drawio",
              "vendor": "jgraph",
              "versions": [
                {
                  "lessThan": "20.5.2",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Cross-site Scripting (XSS) - DOM in GitHub repository jgraph/drawio prior to 20.5.2."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-11-07T00:00:00.000Z",
            "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
            "shortName": "@huntrdev"
          },
          "references": [
            {
              "url": "https://huntr.dev/bounties/52a4085e-b687-489b-9ed6-f0987583ed77"
            },
            {
              "url": "https://github.com/jgraph/drawio/commit/d37894baf125430e85840c2635563b10d1a6523d"
            }
          ],
          "source": {
            "advisory": "52a4085e-b687-489b-9ed6-f0987583ed77",
            "discovery": "EXTERNAL"
          },
          "title": "Cross-site Scripting (XSS) - DOM in jgraph/drawio"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "assignerShortName": "@huntrdev",
        "cveId": "CVE-2022-3873",
        "datePublished": "2022-11-07T00:00:00.000Z",
        "dateReserved": "2022-11-07T00:00:00.000Z",
        "dateUpdated": "2025-05-01T17:59:19.909Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-3223 (GCVE-0-2022-3223)

    Vulnerability from nvd – Published: 2022-09-16 10:50 – Updated: 2024-08-03 01:00
    VLAI
    Title
    Cross-site Scripting (XSS) - Stored in jgraph/drawio
    Summary
    Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 20.3.1.
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    jgraph jgraph/drawio Affected: unspecified , < 20.3.1 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T01:00:10.759Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://huntr.dev/bounties/125791b6-3a68-4235-8866-6bc3a52332ba"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/jgraph/drawio/commit/ea012baba6fb2e903797fa6306833ca4f31ab361"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "jgraph/drawio",
              "vendor": "jgraph",
              "versions": [
                {
                  "lessThan": "20.3.1",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 20.3.1."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-09-16T10:50:12.000Z",
            "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
            "shortName": "@huntrdev"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://huntr.dev/bounties/125791b6-3a68-4235-8866-6bc3a52332ba"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/jgraph/drawio/commit/ea012baba6fb2e903797fa6306833ca4f31ab361"
            }
          ],
          "source": {
            "advisory": "125791b6-3a68-4235-8866-6bc3a52332ba",
            "discovery": "EXTERNAL"
          },
          "title": "Cross-site Scripting (XSS) - Stored in jgraph/drawio",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@huntr.dev",
              "ID": "CVE-2022-3223",
              "STATE": "PUBLIC",
              "TITLE": "Cross-site Scripting (XSS) - Stored in jgraph/drawio"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "jgraph/drawio",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "20.3.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "jgraph"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 20.3.1."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://huntr.dev/bounties/125791b6-3a68-4235-8866-6bc3a52332ba",
                  "refsource": "CONFIRM",
                  "url": "https://huntr.dev/bounties/125791b6-3a68-4235-8866-6bc3a52332ba"
                },
                {
                  "name": "https://github.com/jgraph/drawio/commit/ea012baba6fb2e903797fa6306833ca4f31ab361",
                  "refsource": "MISC",
                  "url": "https://github.com/jgraph/drawio/commit/ea012baba6fb2e903797fa6306833ca4f31ab361"
                }
              ]
            },
            "source": {
              "advisory": "125791b6-3a68-4235-8866-6bc3a52332ba",
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "assignerShortName": "@huntrdev",
        "cveId": "CVE-2022-3223",
        "datePublished": "2022-09-16T10:50:12.000Z",
        "dateReserved": "2022-09-15T00:00:00.000Z",
        "dateUpdated": "2024-08-03T01:00:10.759Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-3133 (GCVE-0-2022-3133)

    Vulnerability from nvd – Published: 2022-09-09 17:55 – Updated: 2024-08-03 01:00
    VLAI
    Title
    OS Command Injection in jgraph/drawio
    Summary
    OS Command Injection in GitHub repository jgraph/drawio prior to 20.3.0.
    CWE
    • CWE-78 - Improper Neutralization of Special Elements used in an OS Command
    Assigner
    References
    Impacted products
    Vendor Product Version
    jgraph jgraph/drawio Affected: unspecified , < 20.3.0 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T01:00:10.491Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://huntr.dev/bounties/2d93052f-efc6-4647-9a6d-8b08dc251223"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/jgraph/drawio/commit/8f3f95a05b701175b639ba9572dc4e0fb7c46b02"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "jgraph/drawio",
              "vendor": "jgraph",
              "versions": [
                {
                  "lessThan": "20.3.0",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "OS Command Injection in GitHub repository jgraph/drawio prior to 20.3.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "HIGH",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 7,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-78",
                  "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-09-09T17:55:09.000Z",
            "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
            "shortName": "@huntrdev"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://huntr.dev/bounties/2d93052f-efc6-4647-9a6d-8b08dc251223"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/jgraph/drawio/commit/8f3f95a05b701175b639ba9572dc4e0fb7c46b02"
            }
          ],
          "source": {
            "advisory": "2d93052f-efc6-4647-9a6d-8b08dc251223",
            "discovery": "EXTERNAL"
          },
          "title": "OS Command Injection in jgraph/drawio",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@huntr.dev",
              "ID": "CVE-2022-3133",
              "STATE": "PUBLIC",
              "TITLE": "OS Command Injection in jgraph/drawio"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "jgraph/drawio",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "20.3.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "jgraph"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "OS Command Injection in GitHub repository jgraph/drawio prior to 20.3.0."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "HIGH",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 7,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-78 Improper Neutralization of Special Elements used in an OS Command"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://huntr.dev/bounties/2d93052f-efc6-4647-9a6d-8b08dc251223",
                  "refsource": "CONFIRM",
                  "url": "https://huntr.dev/bounties/2d93052f-efc6-4647-9a6d-8b08dc251223"
                },
                {
                  "name": "https://github.com/jgraph/drawio/commit/8f3f95a05b701175b639ba9572dc4e0fb7c46b02",
                  "refsource": "MISC",
                  "url": "https://github.com/jgraph/drawio/commit/8f3f95a05b701175b639ba9572dc4e0fb7c46b02"
                }
              ]
            },
            "source": {
              "advisory": "2d93052f-efc6-4647-9a6d-8b08dc251223",
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "assignerShortName": "@huntrdev",
        "cveId": "CVE-2022-3133",
        "datePublished": "2022-09-09T17:55:09.000Z",
        "dateReserved": "2022-09-05T00:00:00.000Z",
        "dateUpdated": "2024-08-03T01:00:10.491Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-3148 (GCVE-0-2022-3148)

    Vulnerability from nvd – Published: 2022-09-08 09:25 – Updated: 2024-08-03 01:00
    VLAI
    Title
    Cross-site Scripting (XSS) - Generic in jgraph/drawio
    Summary
    Cross-site Scripting (XSS) - Generic in GitHub repository jgraph/drawio prior to 20.3.0.
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    jgraph jgraph/drawio Affected: unspecified , < 20.3.0 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T01:00:10.577Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://huntr.dev/bounties/1f730015-b4d0-4f84-8cac-9cf1e57a091a"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/jgraph/drawio/commit/b5dfeb238369d664fb06a95e2179236b0e75f366"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "jgraph/drawio",
              "vendor": "jgraph",
              "versions": [
                {
                  "lessThan": "20.3.0",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Cross-site Scripting (XSS) - Generic in GitHub repository jgraph/drawio prior to 20.3.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-09-08T09:25:09.000Z",
            "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
            "shortName": "@huntrdev"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://huntr.dev/bounties/1f730015-b4d0-4f84-8cac-9cf1e57a091a"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/jgraph/drawio/commit/b5dfeb238369d664fb06a95e2179236b0e75f366"
            }
          ],
          "source": {
            "advisory": "1f730015-b4d0-4f84-8cac-9cf1e57a091a",
            "discovery": "EXTERNAL"
          },
          "title": "Cross-site Scripting (XSS) - Generic in jgraph/drawio",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@huntr.dev",
              "ID": "CVE-2022-3148",
              "STATE": "PUBLIC",
              "TITLE": "Cross-site Scripting (XSS) - Generic in jgraph/drawio"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "jgraph/drawio",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "20.3.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "jgraph"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Cross-site Scripting (XSS) - Generic in GitHub repository jgraph/drawio prior to 20.3.0."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://huntr.dev/bounties/1f730015-b4d0-4f84-8cac-9cf1e57a091a",
                  "refsource": "CONFIRM",
                  "url": "https://huntr.dev/bounties/1f730015-b4d0-4f84-8cac-9cf1e57a091a"
                },
                {
                  "name": "https://github.com/jgraph/drawio/commit/b5dfeb238369d664fb06a95e2179236b0e75f366",
                  "refsource": "MISC",
                  "url": "https://github.com/jgraph/drawio/commit/b5dfeb238369d664fb06a95e2179236b0e75f366"
                }
              ]
            },
            "source": {
              "advisory": "1f730015-b4d0-4f84-8cac-9cf1e57a091a",
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "assignerShortName": "@huntrdev",
        "cveId": "CVE-2022-3148",
        "datePublished": "2022-09-08T09:25:09.000Z",
        "dateReserved": "2022-09-07T00:00:00.000Z",
        "dateUpdated": "2024-08-03T01:00:10.577Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-3138 (GCVE-0-2022-3138)

    Vulnerability from nvd – Published: 2022-09-08 09:30 – Updated: 2024-08-03 01:00
    VLAI
    Title
    Cross-site Scripting (XSS) - Generic in jgraph/drawio
    Summary
    Cross-site Scripting (XSS) - Generic in GitHub repository jgraph/drawio prior to 20.3.0.
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    jgraph jgraph/drawio Affected: unspecified , < 20.3.0 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T01:00:10.521Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/jgraph/drawio/commit/b5dfeb238369d664fb06a95e2179236b0e75f366"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://huntr.dev/bounties/1816a207-6abf-408c-b19a-e497e24172b3"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "jgraph/drawio",
              "vendor": "jgraph",
              "versions": [
                {
                  "lessThan": "20.3.0",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Cross-site Scripting (XSS) - Generic in GitHub repository jgraph/drawio prior to 20.3.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-09-08T09:30:13.000Z",
            "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
            "shortName": "@huntrdev"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/jgraph/drawio/commit/b5dfeb238369d664fb06a95e2179236b0e75f366"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://huntr.dev/bounties/1816a207-6abf-408c-b19a-e497e24172b3"
            }
          ],
          "source": {
            "advisory": "1816a207-6abf-408c-b19a-e497e24172b3",
            "discovery": "EXTERNAL"
          },
          "title": "Cross-site Scripting (XSS) - Generic in jgraph/drawio",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@huntr.dev",
              "ID": "CVE-2022-3138",
              "STATE": "PUBLIC",
              "TITLE": "Cross-site Scripting (XSS) - Generic in jgraph/drawio"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "jgraph/drawio",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "20.3.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "jgraph"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Cross-site Scripting (XSS) - Generic in GitHub repository jgraph/drawio prior to 20.3.0."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/jgraph/drawio/commit/b5dfeb238369d664fb06a95e2179236b0e75f366",
                  "refsource": "MISC",
                  "url": "https://github.com/jgraph/drawio/commit/b5dfeb238369d664fb06a95e2179236b0e75f366"
                },
                {
                  "name": "https://huntr.dev/bounties/1816a207-6abf-408c-b19a-e497e24172b3",
                  "refsource": "CONFIRM",
                  "url": "https://huntr.dev/bounties/1816a207-6abf-408c-b19a-e497e24172b3"
                }
              ]
            },
            "source": {
              "advisory": "1816a207-6abf-408c-b19a-e497e24172b3",
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "assignerShortName": "@huntrdev",
        "cveId": "CVE-2022-3138",
        "datePublished": "2022-09-08T09:30:14.000Z",
        "dateReserved": "2022-09-06T00:00:00.000Z",
        "dateUpdated": "2024-08-03T01:00:10.521Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-3127 (GCVE-0-2022-3127)

    Vulnerability from nvd – Published: 2022-09-05 12:50 – Updated: 2024-08-03 01:00
    VLAI
    Title
    Cross-site Scripting (XSS) - Stored in jgraph/drawio
    Summary
    Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 20.2.8.
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    jgraph jgraph/drawio Affected: unspecified , < 20.2.8 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T01:00:10.534Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/jgraph/drawio/commit/59887e45b36f06c8dd4919a32bacd994d9f084da"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://huntr.dev/bounties/6cea89d1-39dc-4023-82fa-821f566b841a"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "jgraph/drawio",
              "vendor": "jgraph",
              "versions": [
                {
                  "lessThan": "20.2.8",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 20.2.8."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 5.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-09-05T12:50:09.000Z",
            "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
            "shortName": "@huntrdev"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/jgraph/drawio/commit/59887e45b36f06c8dd4919a32bacd994d9f084da"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://huntr.dev/bounties/6cea89d1-39dc-4023-82fa-821f566b841a"
            }
          ],
          "source": {
            "advisory": "6cea89d1-39dc-4023-82fa-821f566b841a",
            "discovery": "EXTERNAL"
          },
          "title": "Cross-site Scripting (XSS) - Stored in jgraph/drawio",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@huntr.dev",
              "ID": "CVE-2022-3127",
              "STATE": "PUBLIC",
              "TITLE": "Cross-site Scripting (XSS) - Stored in jgraph/drawio"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "jgraph/drawio",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "20.2.8"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "jgraph"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 20.2.8."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 5.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/jgraph/drawio/commit/59887e45b36f06c8dd4919a32bacd994d9f084da",
                  "refsource": "MISC",
                  "url": "https://github.com/jgraph/drawio/commit/59887e45b36f06c8dd4919a32bacd994d9f084da"
                },
                {
                  "name": "https://huntr.dev/bounties/6cea89d1-39dc-4023-82fa-821f566b841a",
                  "refsource": "CONFIRM",
                  "url": "https://huntr.dev/bounties/6cea89d1-39dc-4023-82fa-821f566b841a"
                }
              ]
            },
            "source": {
              "advisory": "6cea89d1-39dc-4023-82fa-821f566b841a",
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "assignerShortName": "@huntrdev",
        "cveId": "CVE-2022-3127",
        "datePublished": "2022-09-05T12:50:09.000Z",
        "dateReserved": "2022-09-05T00:00:00.000Z",
        "dateUpdated": "2024-08-03T01:00:10.534Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-3065 (GCVE-0-2022-3065)

    Vulnerability from nvd – Published: 2022-09-02 18:15 – Updated: 2024-08-03 01:00
    VLAI
    Title
    Improper Access Control in jgraph/drawio
    Summary
    Improper Access Control in GitHub repository jgraph/drawio prior to 20.2.8.
    CWE
    • CWE-284 - Improper Access Control
    Assigner
    References
    Impacted products
    Vendor Product Version
    jgraph jgraph/drawio Affected: unspecified , < 20.2.8 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T01:00:10.156Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://huntr.dev/bounties/5f3bc4b6-1d53-46b7-a23d-70f5faaf0c76"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/jgraph/drawio/commit/59887e45b36f06c8dd4919a32bacd994d9f084da"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "jgraph/drawio",
              "vendor": "jgraph",
              "versions": [
                {
                  "lessThan": "20.2.8",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Improper Access Control in GitHub repository jgraph/drawio prior to 20.2.8."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "CWE-284 Improper Access Control",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-09-02T18:15:12.000Z",
            "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
            "shortName": "@huntrdev"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://huntr.dev/bounties/5f3bc4b6-1d53-46b7-a23d-70f5faaf0c76"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/jgraph/drawio/commit/59887e45b36f06c8dd4919a32bacd994d9f084da"
            }
          ],
          "source": {
            "advisory": "5f3bc4b6-1d53-46b7-a23d-70f5faaf0c76",
            "discovery": "EXTERNAL"
          },
          "title": "Improper Access Control in jgraph/drawio",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@huntr.dev",
              "ID": "CVE-2022-3065",
              "STATE": "PUBLIC",
              "TITLE": "Improper Access Control in jgraph/drawio"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "jgraph/drawio",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "20.2.8"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "jgraph"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Improper Access Control in GitHub repository jgraph/drawio prior to 20.2.8."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-284 Improper Access Control"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://huntr.dev/bounties/5f3bc4b6-1d53-46b7-a23d-70f5faaf0c76",
                  "refsource": "CONFIRM",
                  "url": "https://huntr.dev/bounties/5f3bc4b6-1d53-46b7-a23d-70f5faaf0c76"
                },
                {
                  "name": "https://github.com/jgraph/drawio/commit/59887e45b36f06c8dd4919a32bacd994d9f084da",
                  "refsource": "MISC",
                  "url": "https://github.com/jgraph/drawio/commit/59887e45b36f06c8dd4919a32bacd994d9f084da"
                }
              ]
            },
            "source": {
              "advisory": "5f3bc4b6-1d53-46b7-a23d-70f5faaf0c76",
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "assignerShortName": "@huntrdev",
        "cveId": "CVE-2022-3065",
        "datePublished": "2022-09-02T18:15:12.000Z",
        "dateReserved": "2022-08-30T00:00:00.000Z",
        "dateUpdated": "2024-08-03T01:00:10.156Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-2015 (GCVE-0-2022-2015)

    Vulnerability from nvd – Published: 2022-06-08 08:30 – Updated: 2024-08-03 00:24
    VLAI
    Title
    Cross-site Scripting (XSS) - Stored in jgraph/drawio
    Summary
    Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 19.0.2.
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    jgraph jgraph/drawio Affected: unspecified , < 19.0.2 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T00:24:43.934Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/jgraph/drawio/commit/3d3f819d7a04da7d53b37cc0ca4269c157ba2825"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://huntr.dev/bounties/0d32f448-155c-4b71-9291-9e8bcd522b37"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "jgraph/drawio",
              "vendor": "jgraph",
              "versions": [
                {
                  "lessThan": "19.0.2",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 19.0.2."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.1,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-06-08T08:30:14.000Z",
            "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
            "shortName": "@huntrdev"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/jgraph/drawio/commit/3d3f819d7a04da7d53b37cc0ca4269c157ba2825"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://huntr.dev/bounties/0d32f448-155c-4b71-9291-9e8bcd522b37"
            }
          ],
          "source": {
            "advisory": "0d32f448-155c-4b71-9291-9e8bcd522b37",
            "discovery": "EXTERNAL"
          },
          "title": "Cross-site Scripting (XSS) - Stored in jgraph/drawio",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@huntr.dev",
              "ID": "CVE-2022-2015",
              "STATE": "PUBLIC",
              "TITLE": "Cross-site Scripting (XSS) - Stored in jgraph/drawio"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "jgraph/drawio",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "19.0.2"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "jgraph"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 19.0.2."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.1,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/jgraph/drawio/commit/3d3f819d7a04da7d53b37cc0ca4269c157ba2825",
                  "refsource": "MISC",
                  "url": "https://github.com/jgraph/drawio/commit/3d3f819d7a04da7d53b37cc0ca4269c157ba2825"
                },
                {
                  "name": "https://huntr.dev/bounties/0d32f448-155c-4b71-9291-9e8bcd522b37",
                  "refsource": "CONFIRM",
                  "url": "https://huntr.dev/bounties/0d32f448-155c-4b71-9291-9e8bcd522b37"
                }
              ]
            },
            "source": {
              "advisory": "0d32f448-155c-4b71-9291-9e8bcd522b37",
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "assignerShortName": "@huntrdev",
        "cveId": "CVE-2022-2015",
        "datePublished": "2022-06-08T08:30:14.000Z",
        "dateReserved": "2022-06-07T00:00:00.000Z",
        "dateUpdated": "2024-08-03T00:24:43.934Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-2014 (GCVE-0-2022-2014)

    Vulnerability from nvd – Published: 2022-06-08 07:25 – Updated: 2024-08-03 00:24
    VLAI
    Title
    Code Injection in jgraph/drawio
    Summary
    Code Injection in GitHub repository jgraph/drawio prior to 19.0.2.
    CWE
    • CWE-94 - Improper Control of Generation of Code
    Assigner
    References
    Impacted products
    Vendor Product Version
    jgraph jgraph/drawio Affected: unspecified , < 19.0.2 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T00:24:44.057Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://huntr.dev/bounties/911a4ada-7fd6-467a-a464-b88604b16ffc"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/jgraph/drawio/commit/3d3f819d7a04da7d53b37cc0ca4269c157ba2825"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "jgraph/drawio",
              "vendor": "jgraph",
              "versions": [
                {
                  "lessThan": "19.0.2",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Code Injection in GitHub repository jgraph/drawio prior to 19.0.2."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 9.6,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-94",
                  "description": "CWE-94 Improper Control of Generation of Code",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-06-08T07:25:11.000Z",
            "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
            "shortName": "@huntrdev"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://huntr.dev/bounties/911a4ada-7fd6-467a-a464-b88604b16ffc"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/jgraph/drawio/commit/3d3f819d7a04da7d53b37cc0ca4269c157ba2825"
            }
          ],
          "source": {
            "advisory": "911a4ada-7fd6-467a-a464-b88604b16ffc",
            "discovery": "EXTERNAL"
          },
          "title": "Code Injection in jgraph/drawio",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@huntr.dev",
              "ID": "CVE-2022-2014",
              "STATE": "PUBLIC",
              "TITLE": "Code Injection in jgraph/drawio"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "jgraph/drawio",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "19.0.2"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "jgraph"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Code Injection in GitHub repository jgraph/drawio prior to 19.0.2."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 9.6,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-94 Improper Control of Generation of Code"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://huntr.dev/bounties/911a4ada-7fd6-467a-a464-b88604b16ffc",
                  "refsource": "CONFIRM",
                  "url": "https://huntr.dev/bounties/911a4ada-7fd6-467a-a464-b88604b16ffc"
                },
                {
                  "name": "https://github.com/jgraph/drawio/commit/3d3f819d7a04da7d53b37cc0ca4269c157ba2825",
                  "refsource": "MISC",
                  "url": "https://github.com/jgraph/drawio/commit/3d3f819d7a04da7d53b37cc0ca4269c157ba2825"
                }
              ]
            },
            "source": {
              "advisory": "911a4ada-7fd6-467a-a464-b88604b16ffc",
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "assignerShortName": "@huntrdev",
        "cveId": "CVE-2022-2014",
        "datePublished": "2022-06-08T07:25:11.000Z",
        "dateReserved": "2022-06-07T00:00:00.000Z",
        "dateUpdated": "2024-08-03T00:24:44.057Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-1815 (GCVE-0-2022-1815)

    Vulnerability from nvd – Published: 2022-05-25 08:15 – Updated: 2024-08-03 00:16
    VLAI
    Title
    Exposure of Sensitive Information to an Unauthorized Actor in jgraph/drawio
    Summary
    Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository jgraph/drawio prior to 18.1.2.
    CWE
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    Assigner
    References
    Impacted products
    Vendor Product Version
    jgraph jgraph/drawio Affected: unspecified , < 18.1.2 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T00:16:59.916Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://huntr.dev/bounties/6e856a25-9117-47c6-9375-52f78876902f"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/jgraph/drawio/commit/c287bef9101d024b1fd59d55ecd530f25000f9d8"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "jgraph/drawio",
              "vendor": "jgraph",
              "versions": [
                {
                  "lessThan": "18.1.2",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository jgraph/drawio prior to 18.1.2."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-05-25T08:15:15.000Z",
            "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
            "shortName": "@huntrdev"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://huntr.dev/bounties/6e856a25-9117-47c6-9375-52f78876902f"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/jgraph/drawio/commit/c287bef9101d024b1fd59d55ecd530f25000f9d8"
            }
          ],
          "source": {
            "advisory": "6e856a25-9117-47c6-9375-52f78876902f",
            "discovery": "EXTERNAL"
          },
          "title": "Exposure of Sensitive Information to an Unauthorized Actor in jgraph/drawio",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@huntr.dev",
              "ID": "CVE-2022-1815",
              "STATE": "PUBLIC",
              "TITLE": "Exposure of Sensitive Information to an Unauthorized Actor in jgraph/drawio"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "jgraph/drawio",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "18.1.2"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "jgraph"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository jgraph/drawio prior to 18.1.2."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://huntr.dev/bounties/6e856a25-9117-47c6-9375-52f78876902f",
                  "refsource": "CONFIRM",
                  "url": "https://huntr.dev/bounties/6e856a25-9117-47c6-9375-52f78876902f"
                },
                {
                  "name": "https://github.com/jgraph/drawio/commit/c287bef9101d024b1fd59d55ecd530f25000f9d8",
                  "refsource": "MISC",
                  "url": "https://github.com/jgraph/drawio/commit/c287bef9101d024b1fd59d55ecd530f25000f9d8"
                }
              ]
            },
            "source": {
              "advisory": "6e856a25-9117-47c6-9375-52f78876902f",
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "assignerShortName": "@huntrdev",
        "cveId": "CVE-2022-1815",
        "datePublished": "2022-05-25T08:15:15.000Z",
        "dateReserved": "2022-05-23T00:00:00.000Z",
        "dateUpdated": "2024-08-03T00:16:59.916Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-3975 (GCVE-0-2023-3975)

    Vulnerability from cvelistv5 – Published: 2023-07-27 14:34 – Updated: 2024-10-15 15:32
    VLAI
    Title
    OS Command Injection in jgraph/drawio
    Summary
    OS Command Injection in GitHub repository jgraph/drawio prior to 21.5.0.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-78 - Improper Neutralization of Special Elements used in an OS Command
    Assigner
    Impacted products
    Vendor Product Version
    jgraph jgraph/drawio Affected: unspecified , < 21.5.0 (custom)
    Create a notification for this product.
    jgraph drawio Affected: 0 , < 21.5.0 (custom)
        cpe:2.3:a:jgraph:drawio:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T07:08:50.850Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://huntr.dev/bounties/4da96d20-78ac-462e-910c-a14db9062161"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/jgraph/drawio/commit/8ec95cb03e0a80cf908a282522ac1651306db340"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:jgraph:drawio:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "drawio",
                "vendor": "jgraph",
                "versions": [
                  {
                    "lessThan": "21.5.0",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-3975",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-15T15:03:26.147244Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-15T15:32:40.165Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "jgraph/drawio",
              "vendor": "jgraph",
              "versions": [
                {
                  "lessThan": "21.5.0",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "OS Command Injection in GitHub repository jgraph/drawio prior to 21.5.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.3,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-78",
                  "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-07-27T14:34:10.847Z",
            "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
            "shortName": "@huntrdev"
          },
          "references": [
            {
              "url": "https://huntr.dev/bounties/4da96d20-78ac-462e-910c-a14db9062161"
            },
            {
              "url": "https://github.com/jgraph/drawio/commit/8ec95cb03e0a80cf908a282522ac1651306db340"
            }
          ],
          "source": {
            "advisory": "4da96d20-78ac-462e-910c-a14db9062161",
            "discovery": "EXTERNAL"
          },
          "title": "OS Command Injection in jgraph/drawio"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "assignerShortName": "@huntrdev",
        "cveId": "CVE-2023-3975",
        "datePublished": "2023-07-27T14:34:10.847Z",
        "dateReserved": "2023-07-27T14:34:05.900Z",
        "dateUpdated": "2024-10-15T15:32:40.165Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-3974 (GCVE-0-2023-3974)

    Vulnerability from cvelistv5 – Published: 2023-07-27 14:33 – Updated: 2024-10-15 15:36
    VLAI
    Title
    OS Command Injection in jgraph/drawio
    Summary
    OS Command Injection in GitHub repository jgraph/drawio prior to 21.4.0.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-78 - Improper Neutralization of Special Elements used in an OS Command
    Assigner
    Impacted products
    Vendor Product Version
    jgraph jgraph/drawio Affected: unspecified , < 21.4.0 (custom)
    Create a notification for this product.
    jgraph drawio Affected: 0 , < 21.4.0 (custom)
        cpe:2.3:a:jgraph:drawio:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T07:08:50.876Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://huntr.dev/bounties/ce75aa04-e4d6-4e0a-9db0-ae84c46ae9e2"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/jgraph/drawio/commit/9d6532de36496e77d872d91b1947bb696607d623"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:jgraph:drawio:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "drawio",
                "vendor": "jgraph",
                "versions": [
                  {
                    "lessThan": "21.4.0",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-3974",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-15T15:03:43.684638Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-15T15:36:08.407Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "jgraph/drawio",
              "vendor": "jgraph",
              "versions": [
                {
                  "lessThan": "21.4.0",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "OS Command Injection in GitHub repository jgraph/drawio prior to 21.4.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.6,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-78",
                  "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-07-27T14:33:31.671Z",
            "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
            "shortName": "@huntrdev"
          },
          "references": [
            {
              "url": "https://huntr.dev/bounties/ce75aa04-e4d6-4e0a-9db0-ae84c46ae9e2"
            },
            {
              "url": "https://github.com/jgraph/drawio/commit/9d6532de36496e77d872d91b1947bb696607d623"
            }
          ],
          "source": {
            "advisory": "ce75aa04-e4d6-4e0a-9db0-ae84c46ae9e2",
            "discovery": "EXTERNAL"
          },
          "title": "OS Command Injection in jgraph/drawio"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "assignerShortName": "@huntrdev",
        "cveId": "CVE-2023-3974",
        "datePublished": "2023-07-27T14:33:31.671Z",
        "dateReserved": "2023-07-27T14:33:26.406Z",
        "dateUpdated": "2024-10-15T15:36:08.407Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-3973 (GCVE-0-2023-3973)

    Vulnerability from cvelistv5 – Published: 2023-07-27 14:33 – Updated: 2024-10-15 15:36
    VLAI
    Title
    Cross-site Scripting (XSS) - Reflected in jgraph/drawio
    Summary
    Cross-site Scripting (XSS) - Reflected in GitHub repository jgraph/drawio prior to 21.6.3.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    jgraph jgraph/drawio Affected: unspecified , < 21.6.3 (custom)
    Create a notification for this product.
    jgraph drawio Affected: 0 , < 21.6.3 (custom)
        cpe:2.3:a:jgraph:drawio:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T07:08:50.699Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://huntr.dev/bounties/4c1c5db5-210f-4d7e-8380-b95f88fdb78d"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/jgraph/drawio/commit/1db2c2c653aa245d175d30c210239e3946bfcb95"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:jgraph:drawio:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "drawio",
                "vendor": "jgraph",
                "versions": [
                  {
                    "lessThan": "21.6.3",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-3973",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-15T15:04:11.770958Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-15T15:36:46.194Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "jgraph/drawio",
              "vendor": "jgraph",
              "versions": [
                {
                  "lessThan": "21.6.3",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Cross-site Scripting (XSS) - Reflected in GitHub repository jgraph/drawio prior to 21.6.3."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 9.6,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-07-27T14:33:11.271Z",
            "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
            "shortName": "@huntrdev"
          },
          "references": [
            {
              "url": "https://huntr.dev/bounties/4c1c5db5-210f-4d7e-8380-b95f88fdb78d"
            },
            {
              "url": "https://github.com/jgraph/drawio/commit/1db2c2c653aa245d175d30c210239e3946bfcb95"
            }
          ],
          "source": {
            "advisory": "4c1c5db5-210f-4d7e-8380-b95f88fdb78d",
            "discovery": "EXTERNAL"
          },
          "title": "Cross-site Scripting (XSS) - Reflected in jgraph/drawio"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "assignerShortName": "@huntrdev",
        "cveId": "CVE-2023-3973",
        "datePublished": "2023-07-27T14:33:11.271Z",
        "dateReserved": "2023-07-27T14:32:56.314Z",
        "dateUpdated": "2024-10-15T15:36:46.194Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-3398 (GCVE-0-2023-3398)

    Vulnerability from cvelistv5 – Published: 2023-06-26 10:05 – Updated: 2024-12-03 18:47
    VLAI
    Title
    Denial of Service in jgraph/drawio
    Summary
    Denial of Service in GitHub repository jgraph/drawio prior to 18.1.3.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    Impacted products
    Vendor Product Version
    jgraph jgraph/drawio Affected: unspecified , < 18.1.3 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T06:55:03.225Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://huntr.dev/bounties/aa087215-80e1-433d-b870-650705630e69"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/jgraph/drawio/commit/064729fec4262f9373d9fdcafda0be47cd18dd50"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-3398",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-12-03T18:44:34.481992Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-12-03T18:47:29.317Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "jgraph/drawio",
              "vendor": "jgraph",
              "versions": [
                {
                  "lessThan": "18.1.3",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Denial of Service in GitHub repository jgraph/drawio prior to 18.1.3."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "CWE-400 Uncontrolled Resource Consumption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-06-26T10:05:09.278Z",
            "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
            "shortName": "@huntrdev"
          },
          "references": [
            {
              "url": "https://huntr.dev/bounties/aa087215-80e1-433d-b870-650705630e69"
            },
            {
              "url": "https://github.com/jgraph/drawio/commit/064729fec4262f9373d9fdcafda0be47cd18dd50"
            }
          ],
          "source": {
            "advisory": "aa087215-80e1-433d-b870-650705630e69",
            "discovery": "EXTERNAL"
          },
          "title": "Denial of Service in jgraph/drawio"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "assignerShortName": "@huntrdev",
        "cveId": "CVE-2023-3398",
        "datePublished": "2023-06-26T10:05:09.278Z",
        "dateReserved": "2023-06-26T10:04:56.783Z",
        "dateUpdated": "2024-12-03T18:47:29.317Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-3026 (GCVE-0-2023-3026)

    Vulnerability from cvelistv5 – Published: 2023-06-01 00:00 – Updated: 2025-01-10 18:55
    VLAI
    Title
    Cross-site Scripting (XSS) - Stored in jgraph/drawio
    Summary
    Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 21.2.8.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    jgraph jgraph/drawio Affected: unspecified , < 21.2.8 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T06:41:04.335Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://huntr.dev/bounties/9bbcc127-1e69-4c88-b318-d2afef48eff0"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/jgraph/drawio/commit/c7ac634055c3edfabc7729fc4298a5ab7bfbf384"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-3026",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-10T18:55:51.968547Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-01-10T18:55:55.645Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://huntr.com/bounties/9bbcc127-1e69-4c88-b318-d2afef48eff0"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "jgraph/drawio",
              "vendor": "jgraph",
              "versions": [
                {
                  "lessThan": "21.2.8",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 21.2.8."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-06-01T00:00:00.000Z",
            "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
            "shortName": "@huntrdev"
          },
          "references": [
            {
              "url": "https://huntr.dev/bounties/9bbcc127-1e69-4c88-b318-d2afef48eff0"
            },
            {
              "url": "https://github.com/jgraph/drawio/commit/c7ac634055c3edfabc7729fc4298a5ab7bfbf384"
            }
          ],
          "source": {
            "advisory": "9bbcc127-1e69-4c88-b318-d2afef48eff0",
            "discovery": "EXTERNAL"
          },
          "title": "Cross-site Scripting (XSS) - Stored in jgraph/drawio"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "assignerShortName": "@huntrdev",
        "cveId": "CVE-2023-3026",
        "datePublished": "2023-06-01T00:00:00.000Z",
        "dateReserved": "2023-06-01T00:00:00.000Z",
        "dateUpdated": "2025-01-10T18:55:55.645Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-3873 (GCVE-0-2022-3873)

    Vulnerability from cvelistv5 – Published: 2022-11-07 00:00 – Updated: 2025-05-01 17:59
    VLAI
    Title
    Cross-site Scripting (XSS) - DOM in jgraph/drawio
    Summary
    Cross-site Scripting (XSS) - DOM in GitHub repository jgraph/drawio prior to 20.5.2.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    jgraph jgraph/drawio Affected: unspecified , < 20.5.2 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T01:20:58.575Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://huntr.dev/bounties/52a4085e-b687-489b-9ed6-f0987583ed77"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/jgraph/drawio/commit/d37894baf125430e85840c2635563b10d1a6523d"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-3873",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-01T17:55:24.006232Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-01T17:59:19.909Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "jgraph/drawio",
              "vendor": "jgraph",
              "versions": [
                {
                  "lessThan": "20.5.2",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Cross-site Scripting (XSS) - DOM in GitHub repository jgraph/drawio prior to 20.5.2."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-11-07T00:00:00.000Z",
            "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
            "shortName": "@huntrdev"
          },
          "references": [
            {
              "url": "https://huntr.dev/bounties/52a4085e-b687-489b-9ed6-f0987583ed77"
            },
            {
              "url": "https://github.com/jgraph/drawio/commit/d37894baf125430e85840c2635563b10d1a6523d"
            }
          ],
          "source": {
            "advisory": "52a4085e-b687-489b-9ed6-f0987583ed77",
            "discovery": "EXTERNAL"
          },
          "title": "Cross-site Scripting (XSS) - DOM in jgraph/drawio"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "assignerShortName": "@huntrdev",
        "cveId": "CVE-2022-3873",
        "datePublished": "2022-11-07T00:00:00.000Z",
        "dateReserved": "2022-11-07T00:00:00.000Z",
        "dateUpdated": "2025-05-01T17:59:19.909Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-3223 (GCVE-0-2022-3223)

    Vulnerability from cvelistv5 – Published: 2022-09-16 10:50 – Updated: 2024-08-03 01:00
    VLAI
    Title
    Cross-site Scripting (XSS) - Stored in jgraph/drawio
    Summary
    Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 20.3.1.
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    jgraph jgraph/drawio Affected: unspecified , < 20.3.1 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T01:00:10.759Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://huntr.dev/bounties/125791b6-3a68-4235-8866-6bc3a52332ba"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/jgraph/drawio/commit/ea012baba6fb2e903797fa6306833ca4f31ab361"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "jgraph/drawio",
              "vendor": "jgraph",
              "versions": [
                {
                  "lessThan": "20.3.1",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 20.3.1."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-09-16T10:50:12.000Z",
            "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
            "shortName": "@huntrdev"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://huntr.dev/bounties/125791b6-3a68-4235-8866-6bc3a52332ba"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/jgraph/drawio/commit/ea012baba6fb2e903797fa6306833ca4f31ab361"
            }
          ],
          "source": {
            "advisory": "125791b6-3a68-4235-8866-6bc3a52332ba",
            "discovery": "EXTERNAL"
          },
          "title": "Cross-site Scripting (XSS) - Stored in jgraph/drawio",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@huntr.dev",
              "ID": "CVE-2022-3223",
              "STATE": "PUBLIC",
              "TITLE": "Cross-site Scripting (XSS) - Stored in jgraph/drawio"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "jgraph/drawio",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "20.3.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "jgraph"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 20.3.1."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://huntr.dev/bounties/125791b6-3a68-4235-8866-6bc3a52332ba",
                  "refsource": "CONFIRM",
                  "url": "https://huntr.dev/bounties/125791b6-3a68-4235-8866-6bc3a52332ba"
                },
                {
                  "name": "https://github.com/jgraph/drawio/commit/ea012baba6fb2e903797fa6306833ca4f31ab361",
                  "refsource": "MISC",
                  "url": "https://github.com/jgraph/drawio/commit/ea012baba6fb2e903797fa6306833ca4f31ab361"
                }
              ]
            },
            "source": {
              "advisory": "125791b6-3a68-4235-8866-6bc3a52332ba",
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "assignerShortName": "@huntrdev",
        "cveId": "CVE-2022-3223",
        "datePublished": "2022-09-16T10:50:12.000Z",
        "dateReserved": "2022-09-15T00:00:00.000Z",
        "dateUpdated": "2024-08-03T01:00:10.759Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-3133 (GCVE-0-2022-3133)

    Vulnerability from cvelistv5 – Published: 2022-09-09 17:55 – Updated: 2024-08-03 01:00
    VLAI
    Title
    OS Command Injection in jgraph/drawio
    Summary
    OS Command Injection in GitHub repository jgraph/drawio prior to 20.3.0.
    CWE
    • CWE-78 - Improper Neutralization of Special Elements used in an OS Command
    Assigner
    References
    Impacted products
    Vendor Product Version
    jgraph jgraph/drawio Affected: unspecified , < 20.3.0 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T01:00:10.491Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://huntr.dev/bounties/2d93052f-efc6-4647-9a6d-8b08dc251223"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/jgraph/drawio/commit/8f3f95a05b701175b639ba9572dc4e0fb7c46b02"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "jgraph/drawio",
              "vendor": "jgraph",
              "versions": [
                {
                  "lessThan": "20.3.0",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "OS Command Injection in GitHub repository jgraph/drawio prior to 20.3.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "HIGH",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 7,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-78",
                  "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-09-09T17:55:09.000Z",
            "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
            "shortName": "@huntrdev"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://huntr.dev/bounties/2d93052f-efc6-4647-9a6d-8b08dc251223"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/jgraph/drawio/commit/8f3f95a05b701175b639ba9572dc4e0fb7c46b02"
            }
          ],
          "source": {
            "advisory": "2d93052f-efc6-4647-9a6d-8b08dc251223",
            "discovery": "EXTERNAL"
          },
          "title": "OS Command Injection in jgraph/drawio",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@huntr.dev",
              "ID": "CVE-2022-3133",
              "STATE": "PUBLIC",
              "TITLE": "OS Command Injection in jgraph/drawio"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "jgraph/drawio",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "20.3.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "jgraph"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "OS Command Injection in GitHub repository jgraph/drawio prior to 20.3.0."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "HIGH",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 7,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-78 Improper Neutralization of Special Elements used in an OS Command"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://huntr.dev/bounties/2d93052f-efc6-4647-9a6d-8b08dc251223",
                  "refsource": "CONFIRM",
                  "url": "https://huntr.dev/bounties/2d93052f-efc6-4647-9a6d-8b08dc251223"
                },
                {
                  "name": "https://github.com/jgraph/drawio/commit/8f3f95a05b701175b639ba9572dc4e0fb7c46b02",
                  "refsource": "MISC",
                  "url": "https://github.com/jgraph/drawio/commit/8f3f95a05b701175b639ba9572dc4e0fb7c46b02"
                }
              ]
            },
            "source": {
              "advisory": "2d93052f-efc6-4647-9a6d-8b08dc251223",
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "assignerShortName": "@huntrdev",
        "cveId": "CVE-2022-3133",
        "datePublished": "2022-09-09T17:55:09.000Z",
        "dateReserved": "2022-09-05T00:00:00.000Z",
        "dateUpdated": "2024-08-03T01:00:10.491Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-3138 (GCVE-0-2022-3138)

    Vulnerability from cvelistv5 – Published: 2022-09-08 09:30 – Updated: 2024-08-03 01:00
    VLAI
    Title
    Cross-site Scripting (XSS) - Generic in jgraph/drawio
    Summary
    Cross-site Scripting (XSS) - Generic in GitHub repository jgraph/drawio prior to 20.3.0.
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    jgraph jgraph/drawio Affected: unspecified , < 20.3.0 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T01:00:10.521Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/jgraph/drawio/commit/b5dfeb238369d664fb06a95e2179236b0e75f366"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://huntr.dev/bounties/1816a207-6abf-408c-b19a-e497e24172b3"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "jgraph/drawio",
              "vendor": "jgraph",
              "versions": [
                {
                  "lessThan": "20.3.0",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Cross-site Scripting (XSS) - Generic in GitHub repository jgraph/drawio prior to 20.3.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-09-08T09:30:13.000Z",
            "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
            "shortName": "@huntrdev"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/jgraph/drawio/commit/b5dfeb238369d664fb06a95e2179236b0e75f366"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://huntr.dev/bounties/1816a207-6abf-408c-b19a-e497e24172b3"
            }
          ],
          "source": {
            "advisory": "1816a207-6abf-408c-b19a-e497e24172b3",
            "discovery": "EXTERNAL"
          },
          "title": "Cross-site Scripting (XSS) - Generic in jgraph/drawio",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@huntr.dev",
              "ID": "CVE-2022-3138",
              "STATE": "PUBLIC",
              "TITLE": "Cross-site Scripting (XSS) - Generic in jgraph/drawio"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "jgraph/drawio",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "20.3.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "jgraph"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Cross-site Scripting (XSS) - Generic in GitHub repository jgraph/drawio prior to 20.3.0."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/jgraph/drawio/commit/b5dfeb238369d664fb06a95e2179236b0e75f366",
                  "refsource": "MISC",
                  "url": "https://github.com/jgraph/drawio/commit/b5dfeb238369d664fb06a95e2179236b0e75f366"
                },
                {
                  "name": "https://huntr.dev/bounties/1816a207-6abf-408c-b19a-e497e24172b3",
                  "refsource": "CONFIRM",
                  "url": "https://huntr.dev/bounties/1816a207-6abf-408c-b19a-e497e24172b3"
                }
              ]
            },
            "source": {
              "advisory": "1816a207-6abf-408c-b19a-e497e24172b3",
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "assignerShortName": "@huntrdev",
        "cveId": "CVE-2022-3138",
        "datePublished": "2022-09-08T09:30:14.000Z",
        "dateReserved": "2022-09-06T00:00:00.000Z",
        "dateUpdated": "2024-08-03T01:00:10.521Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-3148 (GCVE-0-2022-3148)

    Vulnerability from cvelistv5 – Published: 2022-09-08 09:25 – Updated: 2024-08-03 01:00
    VLAI
    Title
    Cross-site Scripting (XSS) - Generic in jgraph/drawio
    Summary
    Cross-site Scripting (XSS) - Generic in GitHub repository jgraph/drawio prior to 20.3.0.
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    jgraph jgraph/drawio Affected: unspecified , < 20.3.0 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T01:00:10.577Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://huntr.dev/bounties/1f730015-b4d0-4f84-8cac-9cf1e57a091a"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/jgraph/drawio/commit/b5dfeb238369d664fb06a95e2179236b0e75f366"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "jgraph/drawio",
              "vendor": "jgraph",
              "versions": [
                {
                  "lessThan": "20.3.0",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Cross-site Scripting (XSS) - Generic in GitHub repository jgraph/drawio prior to 20.3.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-09-08T09:25:09.000Z",
            "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
            "shortName": "@huntrdev"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://huntr.dev/bounties/1f730015-b4d0-4f84-8cac-9cf1e57a091a"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/jgraph/drawio/commit/b5dfeb238369d664fb06a95e2179236b0e75f366"
            }
          ],
          "source": {
            "advisory": "1f730015-b4d0-4f84-8cac-9cf1e57a091a",
            "discovery": "EXTERNAL"
          },
          "title": "Cross-site Scripting (XSS) - Generic in jgraph/drawio",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@huntr.dev",
              "ID": "CVE-2022-3148",
              "STATE": "PUBLIC",
              "TITLE": "Cross-site Scripting (XSS) - Generic in jgraph/drawio"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "jgraph/drawio",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "20.3.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "jgraph"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Cross-site Scripting (XSS) - Generic in GitHub repository jgraph/drawio prior to 20.3.0."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://huntr.dev/bounties/1f730015-b4d0-4f84-8cac-9cf1e57a091a",
                  "refsource": "CONFIRM",
                  "url": "https://huntr.dev/bounties/1f730015-b4d0-4f84-8cac-9cf1e57a091a"
                },
                {
                  "name": "https://github.com/jgraph/drawio/commit/b5dfeb238369d664fb06a95e2179236b0e75f366",
                  "refsource": "MISC",
                  "url": "https://github.com/jgraph/drawio/commit/b5dfeb238369d664fb06a95e2179236b0e75f366"
                }
              ]
            },
            "source": {
              "advisory": "1f730015-b4d0-4f84-8cac-9cf1e57a091a",
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "assignerShortName": "@huntrdev",
        "cveId": "CVE-2022-3148",
        "datePublished": "2022-09-08T09:25:09.000Z",
        "dateReserved": "2022-09-07T00:00:00.000Z",
        "dateUpdated": "2024-08-03T01:00:10.577Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-3127 (GCVE-0-2022-3127)

    Vulnerability from cvelistv5 – Published: 2022-09-05 12:50 – Updated: 2024-08-03 01:00
    VLAI
    Title
    Cross-site Scripting (XSS) - Stored in jgraph/drawio
    Summary
    Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 20.2.8.
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    jgraph jgraph/drawio Affected: unspecified , < 20.2.8 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T01:00:10.534Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/jgraph/drawio/commit/59887e45b36f06c8dd4919a32bacd994d9f084da"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://huntr.dev/bounties/6cea89d1-39dc-4023-82fa-821f566b841a"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "jgraph/drawio",
              "vendor": "jgraph",
              "versions": [
                {
                  "lessThan": "20.2.8",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 20.2.8."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 5.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-09-05T12:50:09.000Z",
            "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
            "shortName": "@huntrdev"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/jgraph/drawio/commit/59887e45b36f06c8dd4919a32bacd994d9f084da"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://huntr.dev/bounties/6cea89d1-39dc-4023-82fa-821f566b841a"
            }
          ],
          "source": {
            "advisory": "6cea89d1-39dc-4023-82fa-821f566b841a",
            "discovery": "EXTERNAL"
          },
          "title": "Cross-site Scripting (XSS) - Stored in jgraph/drawio",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@huntr.dev",
              "ID": "CVE-2022-3127",
              "STATE": "PUBLIC",
              "TITLE": "Cross-site Scripting (XSS) - Stored in jgraph/drawio"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "jgraph/drawio",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "20.2.8"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "jgraph"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 20.2.8."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 5.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/jgraph/drawio/commit/59887e45b36f06c8dd4919a32bacd994d9f084da",
                  "refsource": "MISC",
                  "url": "https://github.com/jgraph/drawio/commit/59887e45b36f06c8dd4919a32bacd994d9f084da"
                },
                {
                  "name": "https://huntr.dev/bounties/6cea89d1-39dc-4023-82fa-821f566b841a",
                  "refsource": "CONFIRM",
                  "url": "https://huntr.dev/bounties/6cea89d1-39dc-4023-82fa-821f566b841a"
                }
              ]
            },
            "source": {
              "advisory": "6cea89d1-39dc-4023-82fa-821f566b841a",
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "assignerShortName": "@huntrdev",
        "cveId": "CVE-2022-3127",
        "datePublished": "2022-09-05T12:50:09.000Z",
        "dateReserved": "2022-09-05T00:00:00.000Z",
        "dateUpdated": "2024-08-03T01:00:10.534Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-3065 (GCVE-0-2022-3065)

    Vulnerability from cvelistv5 – Published: 2022-09-02 18:15 – Updated: 2024-08-03 01:00
    VLAI
    Title
    Improper Access Control in jgraph/drawio
    Summary
    Improper Access Control in GitHub repository jgraph/drawio prior to 20.2.8.
    CWE
    • CWE-284 - Improper Access Control
    Assigner
    References
    Impacted products
    Vendor Product Version
    jgraph jgraph/drawio Affected: unspecified , < 20.2.8 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T01:00:10.156Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://huntr.dev/bounties/5f3bc4b6-1d53-46b7-a23d-70f5faaf0c76"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/jgraph/drawio/commit/59887e45b36f06c8dd4919a32bacd994d9f084da"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "jgraph/drawio",
              "vendor": "jgraph",
              "versions": [
                {
                  "lessThan": "20.2.8",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Improper Access Control in GitHub repository jgraph/drawio prior to 20.2.8."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "CWE-284 Improper Access Control",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-09-02T18:15:12.000Z",
            "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
            "shortName": "@huntrdev"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://huntr.dev/bounties/5f3bc4b6-1d53-46b7-a23d-70f5faaf0c76"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/jgraph/drawio/commit/59887e45b36f06c8dd4919a32bacd994d9f084da"
            }
          ],
          "source": {
            "advisory": "5f3bc4b6-1d53-46b7-a23d-70f5faaf0c76",
            "discovery": "EXTERNAL"
          },
          "title": "Improper Access Control in jgraph/drawio",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@huntr.dev",
              "ID": "CVE-2022-3065",
              "STATE": "PUBLIC",
              "TITLE": "Improper Access Control in jgraph/drawio"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "jgraph/drawio",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "20.2.8"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "jgraph"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Improper Access Control in GitHub repository jgraph/drawio prior to 20.2.8."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-284 Improper Access Control"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://huntr.dev/bounties/5f3bc4b6-1d53-46b7-a23d-70f5faaf0c76",
                  "refsource": "CONFIRM",
                  "url": "https://huntr.dev/bounties/5f3bc4b6-1d53-46b7-a23d-70f5faaf0c76"
                },
                {
                  "name": "https://github.com/jgraph/drawio/commit/59887e45b36f06c8dd4919a32bacd994d9f084da",
                  "refsource": "MISC",
                  "url": "https://github.com/jgraph/drawio/commit/59887e45b36f06c8dd4919a32bacd994d9f084da"
                }
              ]
            },
            "source": {
              "advisory": "5f3bc4b6-1d53-46b7-a23d-70f5faaf0c76",
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "assignerShortName": "@huntrdev",
        "cveId": "CVE-2022-3065",
        "datePublished": "2022-09-02T18:15:12.000Z",
        "dateReserved": "2022-08-30T00:00:00.000Z",
        "dateUpdated": "2024-08-03T01:00:10.156Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-2015 (GCVE-0-2022-2015)

    Vulnerability from cvelistv5 – Published: 2022-06-08 08:30 – Updated: 2024-08-03 00:24
    VLAI
    Title
    Cross-site Scripting (XSS) - Stored in jgraph/drawio
    Summary
    Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 19.0.2.
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    jgraph jgraph/drawio Affected: unspecified , < 19.0.2 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T00:24:43.934Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/jgraph/drawio/commit/3d3f819d7a04da7d53b37cc0ca4269c157ba2825"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://huntr.dev/bounties/0d32f448-155c-4b71-9291-9e8bcd522b37"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "jgraph/drawio",
              "vendor": "jgraph",
              "versions": [
                {
                  "lessThan": "19.0.2",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 19.0.2."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.1,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-06-08T08:30:14.000Z",
            "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
            "shortName": "@huntrdev"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/jgraph/drawio/commit/3d3f819d7a04da7d53b37cc0ca4269c157ba2825"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://huntr.dev/bounties/0d32f448-155c-4b71-9291-9e8bcd522b37"
            }
          ],
          "source": {
            "advisory": "0d32f448-155c-4b71-9291-9e8bcd522b37",
            "discovery": "EXTERNAL"
          },
          "title": "Cross-site Scripting (XSS) - Stored in jgraph/drawio",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@huntr.dev",
              "ID": "CVE-2022-2015",
              "STATE": "PUBLIC",
              "TITLE": "Cross-site Scripting (XSS) - Stored in jgraph/drawio"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "jgraph/drawio",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "19.0.2"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "jgraph"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 19.0.2."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.1,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/jgraph/drawio/commit/3d3f819d7a04da7d53b37cc0ca4269c157ba2825",
                  "refsource": "MISC",
                  "url": "https://github.com/jgraph/drawio/commit/3d3f819d7a04da7d53b37cc0ca4269c157ba2825"
                },
                {
                  "name": "https://huntr.dev/bounties/0d32f448-155c-4b71-9291-9e8bcd522b37",
                  "refsource": "CONFIRM",
                  "url": "https://huntr.dev/bounties/0d32f448-155c-4b71-9291-9e8bcd522b37"
                }
              ]
            },
            "source": {
              "advisory": "0d32f448-155c-4b71-9291-9e8bcd522b37",
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "assignerShortName": "@huntrdev",
        "cveId": "CVE-2022-2015",
        "datePublished": "2022-06-08T08:30:14.000Z",
        "dateReserved": "2022-06-07T00:00:00.000Z",
        "dateUpdated": "2024-08-03T00:24:43.934Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-2014 (GCVE-0-2022-2014)

    Vulnerability from cvelistv5 – Published: 2022-06-08 07:25 – Updated: 2024-08-03 00:24
    VLAI
    Title
    Code Injection in jgraph/drawio
    Summary
    Code Injection in GitHub repository jgraph/drawio prior to 19.0.2.
    CWE
    • CWE-94 - Improper Control of Generation of Code
    Assigner
    References
    Impacted products
    Vendor Product Version
    jgraph jgraph/drawio Affected: unspecified , < 19.0.2 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T00:24:44.057Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://huntr.dev/bounties/911a4ada-7fd6-467a-a464-b88604b16ffc"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/jgraph/drawio/commit/3d3f819d7a04da7d53b37cc0ca4269c157ba2825"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "jgraph/drawio",
              "vendor": "jgraph",
              "versions": [
                {
                  "lessThan": "19.0.2",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Code Injection in GitHub repository jgraph/drawio prior to 19.0.2."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 9.6,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-94",
                  "description": "CWE-94 Improper Control of Generation of Code",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-06-08T07:25:11.000Z",
            "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
            "shortName": "@huntrdev"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://huntr.dev/bounties/911a4ada-7fd6-467a-a464-b88604b16ffc"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/jgraph/drawio/commit/3d3f819d7a04da7d53b37cc0ca4269c157ba2825"
            }
          ],
          "source": {
            "advisory": "911a4ada-7fd6-467a-a464-b88604b16ffc",
            "discovery": "EXTERNAL"
          },
          "title": "Code Injection in jgraph/drawio",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@huntr.dev",
              "ID": "CVE-2022-2014",
              "STATE": "PUBLIC",
              "TITLE": "Code Injection in jgraph/drawio"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "jgraph/drawio",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "19.0.2"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "jgraph"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Code Injection in GitHub repository jgraph/drawio prior to 19.0.2."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 9.6,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-94 Improper Control of Generation of Code"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://huntr.dev/bounties/911a4ada-7fd6-467a-a464-b88604b16ffc",
                  "refsource": "CONFIRM",
                  "url": "https://huntr.dev/bounties/911a4ada-7fd6-467a-a464-b88604b16ffc"
                },
                {
                  "name": "https://github.com/jgraph/drawio/commit/3d3f819d7a04da7d53b37cc0ca4269c157ba2825",
                  "refsource": "MISC",
                  "url": "https://github.com/jgraph/drawio/commit/3d3f819d7a04da7d53b37cc0ca4269c157ba2825"
                }
              ]
            },
            "source": {
              "advisory": "911a4ada-7fd6-467a-a464-b88604b16ffc",
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "assignerShortName": "@huntrdev",
        "cveId": "CVE-2022-2014",
        "datePublished": "2022-06-08T07:25:11.000Z",
        "dateReserved": "2022-06-07T00:00:00.000Z",
        "dateUpdated": "2024-08-03T00:24:44.057Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-1815 (GCVE-0-2022-1815)

    Vulnerability from cvelistv5 – Published: 2022-05-25 08:15 – Updated: 2024-08-03 00:16
    VLAI
    Title
    Exposure of Sensitive Information to an Unauthorized Actor in jgraph/drawio
    Summary
    Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository jgraph/drawio prior to 18.1.2.
    CWE
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    Assigner
    References
    Impacted products
    Vendor Product Version
    jgraph jgraph/drawio Affected: unspecified , < 18.1.2 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T00:16:59.916Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://huntr.dev/bounties/6e856a25-9117-47c6-9375-52f78876902f"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/jgraph/drawio/commit/c287bef9101d024b1fd59d55ecd530f25000f9d8"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "jgraph/drawio",
              "vendor": "jgraph",
              "versions": [
                {
                  "lessThan": "18.1.2",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository jgraph/drawio prior to 18.1.2."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-05-25T08:15:15.000Z",
            "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
            "shortName": "@huntrdev"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://huntr.dev/bounties/6e856a25-9117-47c6-9375-52f78876902f"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/jgraph/drawio/commit/c287bef9101d024b1fd59d55ecd530f25000f9d8"
            }
          ],
          "source": {
            "advisory": "6e856a25-9117-47c6-9375-52f78876902f",
            "discovery": "EXTERNAL"
          },
          "title": "Exposure of Sensitive Information to an Unauthorized Actor in jgraph/drawio",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@huntr.dev",
              "ID": "CVE-2022-1815",
              "STATE": "PUBLIC",
              "TITLE": "Exposure of Sensitive Information to an Unauthorized Actor in jgraph/drawio"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "jgraph/drawio",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "18.1.2"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "jgraph"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository jgraph/drawio prior to 18.1.2."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://huntr.dev/bounties/6e856a25-9117-47c6-9375-52f78876902f",
                  "refsource": "CONFIRM",
                  "url": "https://huntr.dev/bounties/6e856a25-9117-47c6-9375-52f78876902f"
                },
                {
                  "name": "https://github.com/jgraph/drawio/commit/c287bef9101d024b1fd59d55ecd530f25000f9d8",
                  "refsource": "MISC",
                  "url": "https://github.com/jgraph/drawio/commit/c287bef9101d024b1fd59d55ecd530f25000f9d8"
                }
              ]
            },
            "source": {
              "advisory": "6e856a25-9117-47c6-9375-52f78876902f",
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "assignerShortName": "@huntrdev",
        "cveId": "CVE-2022-1815",
        "datePublished": "2022-05-25T08:15:15.000Z",
        "dateReserved": "2022-05-23T00:00:00.000Z",
        "dateUpdated": "2024-08-03T00:16:59.916Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }