Search

Find a vulnerability

Search criteria

    62 vulnerabilities by jgraph

    CVE-2026-46642 (GCVE-0-2026-46642)

    Vulnerability from nvd – Published: 2026-06-10 17:42 – Updated: 2026-06-11 14:03
    VLAI
    Title
    draw.io: XSS via crafted cell label when opening a .drawio file
    Summary
    draw.io is a configurable diagramming and whiteboarding application. Prior to version 29.7.12, a crafted .drawio file can execute arbitrary JavaScript in the editor's origin when the file is opened. The vulnerability is not in the label sanitizer (which works correctly on the rendering path) but in a feature-detection routine in the Text Format panel that reads the raw cell label and assigns it to a detached element's innerHTML without sanitization. Browsers fire onerror for failed image loads even on detached elements, so an <img src=x onerror=...> payload in any cell label triggers script execution as soon as the cell is selected — which import does automatically. This issue has been patched in version 29.7.12.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    jgraph drawio Affected: < 29.7.12
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-46642",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-11T14:02:47.367642Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-11T14:03:34.537Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/jgraph/drawio/security/advisories/GHSA-fqhg-287p-c6vf"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "drawio",
              "vendor": "jgraph",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 29.7.12"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "draw.io is a configurable diagramming and whiteboarding application. Prior to version 29.7.12, a crafted .drawio file can execute arbitrary JavaScript in the editor\u0027s origin when the file is opened. The vulnerability is not in the label sanitizer (which works correctly on the rendering path) but in a feature-detection routine in the Text Format panel that reads the raw cell label and assigns it to a detached element\u0027s innerHTML without sanitization. Browsers fire onerror for failed image loads even on detached elements, so an \u003cimg src=x onerror=...\u003e payload in any cell label triggers script execution as soon as the cell is selected \u2014 which import does automatically. This issue has been patched in version 29.7.12."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.1,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-10T17:42:02.156Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/jgraph/drawio/security/advisories/GHSA-fqhg-287p-c6vf",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/jgraph/drawio/security/advisories/GHSA-fqhg-287p-c6vf"
            },
            {
              "name": "https://github.com/jgraph/drawio/releases/tag/v29.7.12",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/jgraph/drawio/releases/tag/v29.7.12"
            }
          ],
          "source": {
            "advisory": "GHSA-fqhg-287p-c6vf",
            "discovery": "UNKNOWN"
          },
          "title": "draw.io: XSS via crafted cell label when opening a .drawio file"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-46642",
        "datePublished": "2026-06-10T17:42:02.156Z",
        "dateReserved": "2026-05-15T20:11:54.584Z",
        "dateUpdated": "2026-06-11T14:03:34.537Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-42195 (GCVE-0-2026-42195)

    Vulnerability from nvd – Published: 2026-05-08 21:22 – Updated: 2026-05-13 17:47
    VLAI
    Title
    Unvalidated gitlab URL parameter redirects OAuth authorize step to attacker-controlled host
    Summary
    draw.io is a configurable diagramming and whiteboarding application. Prior to version 29.7.9, the draw.io client accepts a ?gitlab= URL parameter that overrides the GitLab server URL used during OAuth sign-in. A crafted link causes the user's click on draw.io's "Authorize in GitLab" dialog to open a popup on the attacker-controlled host instead of gitlab.com. This can lead to credential fishing and session state token exfiltration. This issue has been patched in version 29.7.9.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    Assigner
    Impacted products
    Vendor Product Version
    jgraph drawio Affected: < 29.7.9
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-42195",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-13T17:18:43.655474Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-13T17:47:31.482Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "drawio",
              "vendor": "jgraph",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 29.7.9"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "draw.io is a configurable diagramming and whiteboarding application. Prior to version 29.7.9, the draw.io client accepts a ?gitlab= URL parameter that overrides the GitLab server URL used during OAuth sign-in. A crafted link causes the user\u0027s click on draw.io\u0027s \"Authorize in GitLab\" dialog to open a popup on the attacker-controlled host instead of gitlab.com. This can lead to credential fishing and session state token exfiltration. This issue has been patched in version 29.7.9."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 3.4,
                "baseSeverity": "LOW",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-601",
                  "description": "CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-08T21:22:40.678Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/jgraph/drawio/security/advisories/GHSA-8x7j-m8px-7p8x",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/jgraph/drawio/security/advisories/GHSA-8x7j-m8px-7p8x"
            },
            {
              "name": "https://github.com/jgraph/drawio/issues/493",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/jgraph/drawio/issues/493"
            },
            {
              "name": "https://github.com/jgraph/drawio/releases/tag/v29.7.9",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/jgraph/drawio/releases/tag/v29.7.9"
            }
          ],
          "source": {
            "advisory": "GHSA-8x7j-m8px-7p8x",
            "discovery": "UNKNOWN"
          },
          "title": "Unvalidated gitlab URL parameter redirects OAuth authorize step to attacker-controlled host"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-42195",
        "datePublished": "2026-05-08T21:22:40.678Z",
        "dateReserved": "2026-04-25T01:53:21.584Z",
        "dateUpdated": "2026-05-13T17:47:31.482Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2023-3975 (GCVE-0-2023-3975)

    Vulnerability from nvd – Published: 2023-07-27 14:34 – Updated: 2024-10-15 15:32
    VLAI
    Title
    OS Command Injection in jgraph/drawio
    Summary
    OS Command Injection in GitHub repository jgraph/drawio prior to 21.5.0.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-78 - Improper Neutralization of Special Elements used in an OS Command
    Assigner
    Impacted products
    Vendor Product Version
    jgraph jgraph/drawio Affected: unspecified , < 21.5.0 (custom)
    Create a notification for this product.
    jgraph drawio Affected: 0 , < 21.5.0 (custom)
        cpe:2.3:a:jgraph:drawio:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T07:08:50.850Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://huntr.dev/bounties/4da96d20-78ac-462e-910c-a14db9062161"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/jgraph/drawio/commit/8ec95cb03e0a80cf908a282522ac1651306db340"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:jgraph:drawio:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "drawio",
                "vendor": "jgraph",
                "versions": [
                  {
                    "lessThan": "21.5.0",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-3975",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-15T15:03:26.147244Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-15T15:32:40.165Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "jgraph/drawio",
              "vendor": "jgraph",
              "versions": [
                {
                  "lessThan": "21.5.0",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "OS Command Injection in GitHub repository jgraph/drawio prior to 21.5.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.3,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-78",
                  "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-07-27T14:34:10.847Z",
            "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
            "shortName": "@huntrdev"
          },
          "references": [
            {
              "url": "https://huntr.dev/bounties/4da96d20-78ac-462e-910c-a14db9062161"
            },
            {
              "url": "https://github.com/jgraph/drawio/commit/8ec95cb03e0a80cf908a282522ac1651306db340"
            }
          ],
          "source": {
            "advisory": "4da96d20-78ac-462e-910c-a14db9062161",
            "discovery": "EXTERNAL"
          },
          "title": "OS Command Injection in jgraph/drawio"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "assignerShortName": "@huntrdev",
        "cveId": "CVE-2023-3975",
        "datePublished": "2023-07-27T14:34:10.847Z",
        "dateReserved": "2023-07-27T14:34:05.900Z",
        "dateUpdated": "2024-10-15T15:32:40.165Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-3974 (GCVE-0-2023-3974)

    Vulnerability from nvd – Published: 2023-07-27 14:33 – Updated: 2024-10-15 15:36
    VLAI
    Title
    OS Command Injection in jgraph/drawio
    Summary
    OS Command Injection in GitHub repository jgraph/drawio prior to 21.4.0.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-78 - Improper Neutralization of Special Elements used in an OS Command
    Assigner
    Impacted products
    Vendor Product Version
    jgraph jgraph/drawio Affected: unspecified , < 21.4.0 (custom)
    Create a notification for this product.
    jgraph drawio Affected: 0 , < 21.4.0 (custom)
        cpe:2.3:a:jgraph:drawio:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T07:08:50.876Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://huntr.dev/bounties/ce75aa04-e4d6-4e0a-9db0-ae84c46ae9e2"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/jgraph/drawio/commit/9d6532de36496e77d872d91b1947bb696607d623"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:jgraph:drawio:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "drawio",
                "vendor": "jgraph",
                "versions": [
                  {
                    "lessThan": "21.4.0",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-3974",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-15T15:03:43.684638Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-15T15:36:08.407Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "jgraph/drawio",
              "vendor": "jgraph",
              "versions": [
                {
                  "lessThan": "21.4.0",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "OS Command Injection in GitHub repository jgraph/drawio prior to 21.4.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.6,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-78",
                  "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-07-27T14:33:31.671Z",
            "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
            "shortName": "@huntrdev"
          },
          "references": [
            {
              "url": "https://huntr.dev/bounties/ce75aa04-e4d6-4e0a-9db0-ae84c46ae9e2"
            },
            {
              "url": "https://github.com/jgraph/drawio/commit/9d6532de36496e77d872d91b1947bb696607d623"
            }
          ],
          "source": {
            "advisory": "ce75aa04-e4d6-4e0a-9db0-ae84c46ae9e2",
            "discovery": "EXTERNAL"
          },
          "title": "OS Command Injection in jgraph/drawio"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "assignerShortName": "@huntrdev",
        "cveId": "CVE-2023-3974",
        "datePublished": "2023-07-27T14:33:31.671Z",
        "dateReserved": "2023-07-27T14:33:26.406Z",
        "dateUpdated": "2024-10-15T15:36:08.407Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-3973 (GCVE-0-2023-3973)

    Vulnerability from nvd – Published: 2023-07-27 14:33 – Updated: 2024-10-15 15:36
    VLAI
    Title
    Cross-site Scripting (XSS) - Reflected in jgraph/drawio
    Summary
    Cross-site Scripting (XSS) - Reflected in GitHub repository jgraph/drawio prior to 21.6.3.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    jgraph jgraph/drawio Affected: unspecified , < 21.6.3 (custom)
    Create a notification for this product.
    jgraph drawio Affected: 0 , < 21.6.3 (custom)
        cpe:2.3:a:jgraph:drawio:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T07:08:50.699Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://huntr.dev/bounties/4c1c5db5-210f-4d7e-8380-b95f88fdb78d"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/jgraph/drawio/commit/1db2c2c653aa245d175d30c210239e3946bfcb95"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:jgraph:drawio:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "drawio",
                "vendor": "jgraph",
                "versions": [
                  {
                    "lessThan": "21.6.3",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-3973",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-15T15:04:11.770958Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-15T15:36:46.194Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "jgraph/drawio",
              "vendor": "jgraph",
              "versions": [
                {
                  "lessThan": "21.6.3",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Cross-site Scripting (XSS) - Reflected in GitHub repository jgraph/drawio prior to 21.6.3."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 9.6,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-07-27T14:33:11.271Z",
            "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
            "shortName": "@huntrdev"
          },
          "references": [
            {
              "url": "https://huntr.dev/bounties/4c1c5db5-210f-4d7e-8380-b95f88fdb78d"
            },
            {
              "url": "https://github.com/jgraph/drawio/commit/1db2c2c653aa245d175d30c210239e3946bfcb95"
            }
          ],
          "source": {
            "advisory": "4c1c5db5-210f-4d7e-8380-b95f88fdb78d",
            "discovery": "EXTERNAL"
          },
          "title": "Cross-site Scripting (XSS) - Reflected in jgraph/drawio"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "assignerShortName": "@huntrdev",
        "cveId": "CVE-2023-3973",
        "datePublished": "2023-07-27T14:33:11.271Z",
        "dateReserved": "2023-07-27T14:32:56.314Z",
        "dateUpdated": "2024-10-15T15:36:46.194Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-3398 (GCVE-0-2023-3398)

    Vulnerability from nvd – Published: 2023-06-26 10:05 – Updated: 2024-12-03 18:47
    VLAI
    Title
    Denial of Service in jgraph/drawio
    Summary
    Denial of Service in GitHub repository jgraph/drawio prior to 18.1.3.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    Impacted products
    Vendor Product Version
    jgraph jgraph/drawio Affected: unspecified , < 18.1.3 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T06:55:03.225Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://huntr.dev/bounties/aa087215-80e1-433d-b870-650705630e69"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/jgraph/drawio/commit/064729fec4262f9373d9fdcafda0be47cd18dd50"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-3398",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-12-03T18:44:34.481992Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-12-03T18:47:29.317Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "jgraph/drawio",
              "vendor": "jgraph",
              "versions": [
                {
                  "lessThan": "18.1.3",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Denial of Service in GitHub repository jgraph/drawio prior to 18.1.3."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "CWE-400 Uncontrolled Resource Consumption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-06-26T10:05:09.278Z",
            "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
            "shortName": "@huntrdev"
          },
          "references": [
            {
              "url": "https://huntr.dev/bounties/aa087215-80e1-433d-b870-650705630e69"
            },
            {
              "url": "https://github.com/jgraph/drawio/commit/064729fec4262f9373d9fdcafda0be47cd18dd50"
            }
          ],
          "source": {
            "advisory": "aa087215-80e1-433d-b870-650705630e69",
            "discovery": "EXTERNAL"
          },
          "title": "Denial of Service in jgraph/drawio"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "assignerShortName": "@huntrdev",
        "cveId": "CVE-2023-3398",
        "datePublished": "2023-06-26T10:05:09.278Z",
        "dateReserved": "2023-06-26T10:04:56.783Z",
        "dateUpdated": "2024-12-03T18:47:29.317Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-3026 (GCVE-0-2023-3026)

    Vulnerability from nvd – Published: 2023-06-01 00:00 – Updated: 2025-01-10 18:55
    VLAI
    Title
    Cross-site Scripting (XSS) - Stored in jgraph/drawio
    Summary
    Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 21.2.8.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    jgraph jgraph/drawio Affected: unspecified , < 21.2.8 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T06:41:04.335Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://huntr.dev/bounties/9bbcc127-1e69-4c88-b318-d2afef48eff0"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/jgraph/drawio/commit/c7ac634055c3edfabc7729fc4298a5ab7bfbf384"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-3026",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-10T18:55:51.968547Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-01-10T18:55:55.645Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://huntr.com/bounties/9bbcc127-1e69-4c88-b318-d2afef48eff0"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "jgraph/drawio",
              "vendor": "jgraph",
              "versions": [
                {
                  "lessThan": "21.2.8",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 21.2.8."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-06-01T00:00:00.000Z",
            "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
            "shortName": "@huntrdev"
          },
          "references": [
            {
              "url": "https://huntr.dev/bounties/9bbcc127-1e69-4c88-b318-d2afef48eff0"
            },
            {
              "url": "https://github.com/jgraph/drawio/commit/c7ac634055c3edfabc7729fc4298a5ab7bfbf384"
            }
          ],
          "source": {
            "advisory": "9bbcc127-1e69-4c88-b318-d2afef48eff0",
            "discovery": "EXTERNAL"
          },
          "title": "Cross-site Scripting (XSS) - Stored in jgraph/drawio"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "assignerShortName": "@huntrdev",
        "cveId": "CVE-2023-3026",
        "datePublished": "2023-06-01T00:00:00.000Z",
        "dateReserved": "2023-06-01T00:00:00.000Z",
        "dateUpdated": "2025-01-10T18:55:55.645Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-3873 (GCVE-0-2022-3873)

    Vulnerability from nvd – Published: 2022-11-07 00:00 – Updated: 2025-05-01 17:59
    VLAI
    Title
    Cross-site Scripting (XSS) - DOM in jgraph/drawio
    Summary
    Cross-site Scripting (XSS) - DOM in GitHub repository jgraph/drawio prior to 20.5.2.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    jgraph jgraph/drawio Affected: unspecified , < 20.5.2 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T01:20:58.575Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://huntr.dev/bounties/52a4085e-b687-489b-9ed6-f0987583ed77"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/jgraph/drawio/commit/d37894baf125430e85840c2635563b10d1a6523d"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-3873",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-01T17:55:24.006232Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-01T17:59:19.909Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "jgraph/drawio",
              "vendor": "jgraph",
              "versions": [
                {
                  "lessThan": "20.5.2",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Cross-site Scripting (XSS) - DOM in GitHub repository jgraph/drawio prior to 20.5.2."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-11-07T00:00:00.000Z",
            "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
            "shortName": "@huntrdev"
          },
          "references": [
            {
              "url": "https://huntr.dev/bounties/52a4085e-b687-489b-9ed6-f0987583ed77"
            },
            {
              "url": "https://github.com/jgraph/drawio/commit/d37894baf125430e85840c2635563b10d1a6523d"
            }
          ],
          "source": {
            "advisory": "52a4085e-b687-489b-9ed6-f0987583ed77",
            "discovery": "EXTERNAL"
          },
          "title": "Cross-site Scripting (XSS) - DOM in jgraph/drawio"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "assignerShortName": "@huntrdev",
        "cveId": "CVE-2022-3873",
        "datePublished": "2022-11-07T00:00:00.000Z",
        "dateReserved": "2022-11-07T00:00:00.000Z",
        "dateUpdated": "2025-05-01T17:59:19.909Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-40440 (GCVE-0-2022-40440)

    Vulnerability from nvd – Published: 2022-10-11 00:00 – Updated: 2024-08-03 12:21
    VLAI
    Summary
    mxGraph v4.2.2 was discovered to contain a cross-site scripting (XSS) vulnerability via the setTooltips() function.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T12:21:45.907Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "http://mxgraph.com"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/jgraph/mxgraph"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/SxB64/mxgraph-xss-vul/wiki"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "mxGraph v4.2.2 was discovered to contain a cross-site scripting (XSS) vulnerability via the setTooltips() function."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-10-11T00:00:00.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "http://mxgraph.com"
            },
            {
              "url": "https://github.com/jgraph/mxgraph"
            },
            {
              "url": "https://github.com/SxB64/mxgraph-xss-vul/wiki"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2022-40440",
        "datePublished": "2022-10-11T00:00:00.000Z",
        "dateReserved": "2022-09-11T00:00:00.000Z",
        "dateUpdated": "2024-08-03T12:21:45.907Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-3223 (GCVE-0-2022-3223)

    Vulnerability from nvd – Published: 2022-09-16 10:50 – Updated: 2024-08-03 01:00
    VLAI
    Title
    Cross-site Scripting (XSS) - Stored in jgraph/drawio
    Summary
    Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 20.3.1.
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    jgraph jgraph/drawio Affected: unspecified , < 20.3.1 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T01:00:10.759Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://huntr.dev/bounties/125791b6-3a68-4235-8866-6bc3a52332ba"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/jgraph/drawio/commit/ea012baba6fb2e903797fa6306833ca4f31ab361"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "jgraph/drawio",
              "vendor": "jgraph",
              "versions": [
                {
                  "lessThan": "20.3.1",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 20.3.1."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-09-16T10:50:12.000Z",
            "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
            "shortName": "@huntrdev"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://huntr.dev/bounties/125791b6-3a68-4235-8866-6bc3a52332ba"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/jgraph/drawio/commit/ea012baba6fb2e903797fa6306833ca4f31ab361"
            }
          ],
          "source": {
            "advisory": "125791b6-3a68-4235-8866-6bc3a52332ba",
            "discovery": "EXTERNAL"
          },
          "title": "Cross-site Scripting (XSS) - Stored in jgraph/drawio",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@huntr.dev",
              "ID": "CVE-2022-3223",
              "STATE": "PUBLIC",
              "TITLE": "Cross-site Scripting (XSS) - Stored in jgraph/drawio"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "jgraph/drawio",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "20.3.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "jgraph"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 20.3.1."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://huntr.dev/bounties/125791b6-3a68-4235-8866-6bc3a52332ba",
                  "refsource": "CONFIRM",
                  "url": "https://huntr.dev/bounties/125791b6-3a68-4235-8866-6bc3a52332ba"
                },
                {
                  "name": "https://github.com/jgraph/drawio/commit/ea012baba6fb2e903797fa6306833ca4f31ab361",
                  "refsource": "MISC",
                  "url": "https://github.com/jgraph/drawio/commit/ea012baba6fb2e903797fa6306833ca4f31ab361"
                }
              ]
            },
            "source": {
              "advisory": "125791b6-3a68-4235-8866-6bc3a52332ba",
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "assignerShortName": "@huntrdev",
        "cveId": "CVE-2022-3223",
        "datePublished": "2022-09-16T10:50:12.000Z",
        "dateReserved": "2022-09-15T00:00:00.000Z",
        "dateUpdated": "2024-08-03T01:00:10.759Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-3133 (GCVE-0-2022-3133)

    Vulnerability from nvd – Published: 2022-09-09 17:55 – Updated: 2024-08-03 01:00
    VLAI
    Title
    OS Command Injection in jgraph/drawio
    Summary
    OS Command Injection in GitHub repository jgraph/drawio prior to 20.3.0.
    CWE
    • CWE-78 - Improper Neutralization of Special Elements used in an OS Command
    Assigner
    References
    Impacted products
    Vendor Product Version
    jgraph jgraph/drawio Affected: unspecified , < 20.3.0 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T01:00:10.491Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://huntr.dev/bounties/2d93052f-efc6-4647-9a6d-8b08dc251223"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/jgraph/drawio/commit/8f3f95a05b701175b639ba9572dc4e0fb7c46b02"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "jgraph/drawio",
              "vendor": "jgraph",
              "versions": [
                {
                  "lessThan": "20.3.0",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "OS Command Injection in GitHub repository jgraph/drawio prior to 20.3.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "HIGH",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 7,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-78",
                  "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-09-09T17:55:09.000Z",
            "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
            "shortName": "@huntrdev"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://huntr.dev/bounties/2d93052f-efc6-4647-9a6d-8b08dc251223"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/jgraph/drawio/commit/8f3f95a05b701175b639ba9572dc4e0fb7c46b02"
            }
          ],
          "source": {
            "advisory": "2d93052f-efc6-4647-9a6d-8b08dc251223",
            "discovery": "EXTERNAL"
          },
          "title": "OS Command Injection in jgraph/drawio",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@huntr.dev",
              "ID": "CVE-2022-3133",
              "STATE": "PUBLIC",
              "TITLE": "OS Command Injection in jgraph/drawio"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "jgraph/drawio",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "20.3.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "jgraph"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "OS Command Injection in GitHub repository jgraph/drawio prior to 20.3.0."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "HIGH",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 7,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-78 Improper Neutralization of Special Elements used in an OS Command"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://huntr.dev/bounties/2d93052f-efc6-4647-9a6d-8b08dc251223",
                  "refsource": "CONFIRM",
                  "url": "https://huntr.dev/bounties/2d93052f-efc6-4647-9a6d-8b08dc251223"
                },
                {
                  "name": "https://github.com/jgraph/drawio/commit/8f3f95a05b701175b639ba9572dc4e0fb7c46b02",
                  "refsource": "MISC",
                  "url": "https://github.com/jgraph/drawio/commit/8f3f95a05b701175b639ba9572dc4e0fb7c46b02"
                }
              ]
            },
            "source": {
              "advisory": "2d93052f-efc6-4647-9a6d-8b08dc251223",
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "assignerShortName": "@huntrdev",
        "cveId": "CVE-2022-3133",
        "datePublished": "2022-09-09T17:55:09.000Z",
        "dateReserved": "2022-09-05T00:00:00.000Z",
        "dateUpdated": "2024-08-03T01:00:10.491Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-3148 (GCVE-0-2022-3148)

    Vulnerability from nvd – Published: 2022-09-08 09:25 – Updated: 2024-08-03 01:00
    VLAI
    Title
    Cross-site Scripting (XSS) - Generic in jgraph/drawio
    Summary
    Cross-site Scripting (XSS) - Generic in GitHub repository jgraph/drawio prior to 20.3.0.
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    jgraph jgraph/drawio Affected: unspecified , < 20.3.0 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T01:00:10.577Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://huntr.dev/bounties/1f730015-b4d0-4f84-8cac-9cf1e57a091a"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/jgraph/drawio/commit/b5dfeb238369d664fb06a95e2179236b0e75f366"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "jgraph/drawio",
              "vendor": "jgraph",
              "versions": [
                {
                  "lessThan": "20.3.0",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Cross-site Scripting (XSS) - Generic in GitHub repository jgraph/drawio prior to 20.3.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-09-08T09:25:09.000Z",
            "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
            "shortName": "@huntrdev"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://huntr.dev/bounties/1f730015-b4d0-4f84-8cac-9cf1e57a091a"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/jgraph/drawio/commit/b5dfeb238369d664fb06a95e2179236b0e75f366"
            }
          ],
          "source": {
            "advisory": "1f730015-b4d0-4f84-8cac-9cf1e57a091a",
            "discovery": "EXTERNAL"
          },
          "title": "Cross-site Scripting (XSS) - Generic in jgraph/drawio",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@huntr.dev",
              "ID": "CVE-2022-3148",
              "STATE": "PUBLIC",
              "TITLE": "Cross-site Scripting (XSS) - Generic in jgraph/drawio"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "jgraph/drawio",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "20.3.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "jgraph"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Cross-site Scripting (XSS) - Generic in GitHub repository jgraph/drawio prior to 20.3.0."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://huntr.dev/bounties/1f730015-b4d0-4f84-8cac-9cf1e57a091a",
                  "refsource": "CONFIRM",
                  "url": "https://huntr.dev/bounties/1f730015-b4d0-4f84-8cac-9cf1e57a091a"
                },
                {
                  "name": "https://github.com/jgraph/drawio/commit/b5dfeb238369d664fb06a95e2179236b0e75f366",
                  "refsource": "MISC",
                  "url": "https://github.com/jgraph/drawio/commit/b5dfeb238369d664fb06a95e2179236b0e75f366"
                }
              ]
            },
            "source": {
              "advisory": "1f730015-b4d0-4f84-8cac-9cf1e57a091a",
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "assignerShortName": "@huntrdev",
        "cveId": "CVE-2022-3148",
        "datePublished": "2022-09-08T09:25:09.000Z",
        "dateReserved": "2022-09-07T00:00:00.000Z",
        "dateUpdated": "2024-08-03T01:00:10.577Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-3138 (GCVE-0-2022-3138)

    Vulnerability from nvd – Published: 2022-09-08 09:30 – Updated: 2024-08-03 01:00
    VLAI
    Title
    Cross-site Scripting (XSS) - Generic in jgraph/drawio
    Summary
    Cross-site Scripting (XSS) - Generic in GitHub repository jgraph/drawio prior to 20.3.0.
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    jgraph jgraph/drawio Affected: unspecified , < 20.3.0 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T01:00:10.521Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/jgraph/drawio/commit/b5dfeb238369d664fb06a95e2179236b0e75f366"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://huntr.dev/bounties/1816a207-6abf-408c-b19a-e497e24172b3"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "jgraph/drawio",
              "vendor": "jgraph",
              "versions": [
                {
                  "lessThan": "20.3.0",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Cross-site Scripting (XSS) - Generic in GitHub repository jgraph/drawio prior to 20.3.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-09-08T09:30:13.000Z",
            "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
            "shortName": "@huntrdev"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/jgraph/drawio/commit/b5dfeb238369d664fb06a95e2179236b0e75f366"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://huntr.dev/bounties/1816a207-6abf-408c-b19a-e497e24172b3"
            }
          ],
          "source": {
            "advisory": "1816a207-6abf-408c-b19a-e497e24172b3",
            "discovery": "EXTERNAL"
          },
          "title": "Cross-site Scripting (XSS) - Generic in jgraph/drawio",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@huntr.dev",
              "ID": "CVE-2022-3138",
              "STATE": "PUBLIC",
              "TITLE": "Cross-site Scripting (XSS) - Generic in jgraph/drawio"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "jgraph/drawio",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "20.3.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "jgraph"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Cross-site Scripting (XSS) - Generic in GitHub repository jgraph/drawio prior to 20.3.0."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/jgraph/drawio/commit/b5dfeb238369d664fb06a95e2179236b0e75f366",
                  "refsource": "MISC",
                  "url": "https://github.com/jgraph/drawio/commit/b5dfeb238369d664fb06a95e2179236b0e75f366"
                },
                {
                  "name": "https://huntr.dev/bounties/1816a207-6abf-408c-b19a-e497e24172b3",
                  "refsource": "CONFIRM",
                  "url": "https://huntr.dev/bounties/1816a207-6abf-408c-b19a-e497e24172b3"
                }
              ]
            },
            "source": {
              "advisory": "1816a207-6abf-408c-b19a-e497e24172b3",
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "assignerShortName": "@huntrdev",
        "cveId": "CVE-2022-3138",
        "datePublished": "2022-09-08T09:30:14.000Z",
        "dateReserved": "2022-09-06T00:00:00.000Z",
        "dateUpdated": "2024-08-03T01:00:10.521Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-3127 (GCVE-0-2022-3127)

    Vulnerability from nvd – Published: 2022-09-05 12:50 – Updated: 2024-08-03 01:00
    VLAI
    Title
    Cross-site Scripting (XSS) - Stored in jgraph/drawio
    Summary
    Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 20.2.8.
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    jgraph jgraph/drawio Affected: unspecified , < 20.2.8 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T01:00:10.534Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/jgraph/drawio/commit/59887e45b36f06c8dd4919a32bacd994d9f084da"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://huntr.dev/bounties/6cea89d1-39dc-4023-82fa-821f566b841a"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "jgraph/drawio",
              "vendor": "jgraph",
              "versions": [
                {
                  "lessThan": "20.2.8",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 20.2.8."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 5.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-09-05T12:50:09.000Z",
            "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
            "shortName": "@huntrdev"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/jgraph/drawio/commit/59887e45b36f06c8dd4919a32bacd994d9f084da"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://huntr.dev/bounties/6cea89d1-39dc-4023-82fa-821f566b841a"
            }
          ],
          "source": {
            "advisory": "6cea89d1-39dc-4023-82fa-821f566b841a",
            "discovery": "EXTERNAL"
          },
          "title": "Cross-site Scripting (XSS) - Stored in jgraph/drawio",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@huntr.dev",
              "ID": "CVE-2022-3127",
              "STATE": "PUBLIC",
              "TITLE": "Cross-site Scripting (XSS) - Stored in jgraph/drawio"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "jgraph/drawio",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "20.2.8"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "jgraph"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 20.2.8."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 5.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/jgraph/drawio/commit/59887e45b36f06c8dd4919a32bacd994d9f084da",
                  "refsource": "MISC",
                  "url": "https://github.com/jgraph/drawio/commit/59887e45b36f06c8dd4919a32bacd994d9f084da"
                },
                {
                  "name": "https://huntr.dev/bounties/6cea89d1-39dc-4023-82fa-821f566b841a",
                  "refsource": "CONFIRM",
                  "url": "https://huntr.dev/bounties/6cea89d1-39dc-4023-82fa-821f566b841a"
                }
              ]
            },
            "source": {
              "advisory": "6cea89d1-39dc-4023-82fa-821f566b841a",
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "assignerShortName": "@huntrdev",
        "cveId": "CVE-2022-3127",
        "datePublished": "2022-09-05T12:50:09.000Z",
        "dateReserved": "2022-09-05T00:00:00.000Z",
        "dateUpdated": "2024-08-03T01:00:10.534Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-3065 (GCVE-0-2022-3065)

    Vulnerability from nvd – Published: 2022-09-02 18:15 – Updated: 2024-08-03 01:00
    VLAI
    Title
    Improper Access Control in jgraph/drawio
    Summary
    Improper Access Control in GitHub repository jgraph/drawio prior to 20.2.8.
    CWE
    • CWE-284 - Improper Access Control
    Assigner
    References
    Impacted products
    Vendor Product Version
    jgraph jgraph/drawio Affected: unspecified , < 20.2.8 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T01:00:10.156Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://huntr.dev/bounties/5f3bc4b6-1d53-46b7-a23d-70f5faaf0c76"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/jgraph/drawio/commit/59887e45b36f06c8dd4919a32bacd994d9f084da"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "jgraph/drawio",
              "vendor": "jgraph",
              "versions": [
                {
                  "lessThan": "20.2.8",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Improper Access Control in GitHub repository jgraph/drawio prior to 20.2.8."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "CWE-284 Improper Access Control",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-09-02T18:15:12.000Z",
            "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
            "shortName": "@huntrdev"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://huntr.dev/bounties/5f3bc4b6-1d53-46b7-a23d-70f5faaf0c76"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/jgraph/drawio/commit/59887e45b36f06c8dd4919a32bacd994d9f084da"
            }
          ],
          "source": {
            "advisory": "5f3bc4b6-1d53-46b7-a23d-70f5faaf0c76",
            "discovery": "EXTERNAL"
          },
          "title": "Improper Access Control in jgraph/drawio",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@huntr.dev",
              "ID": "CVE-2022-3065",
              "STATE": "PUBLIC",
              "TITLE": "Improper Access Control in jgraph/drawio"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "jgraph/drawio",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "20.2.8"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "jgraph"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Improper Access Control in GitHub repository jgraph/drawio prior to 20.2.8."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-284 Improper Access Control"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://huntr.dev/bounties/5f3bc4b6-1d53-46b7-a23d-70f5faaf0c76",
                  "refsource": "CONFIRM",
                  "url": "https://huntr.dev/bounties/5f3bc4b6-1d53-46b7-a23d-70f5faaf0c76"
                },
                {
                  "name": "https://github.com/jgraph/drawio/commit/59887e45b36f06c8dd4919a32bacd994d9f084da",
                  "refsource": "MISC",
                  "url": "https://github.com/jgraph/drawio/commit/59887e45b36f06c8dd4919a32bacd994d9f084da"
                }
              ]
            },
            "source": {
              "advisory": "5f3bc4b6-1d53-46b7-a23d-70f5faaf0c76",
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "assignerShortName": "@huntrdev",
        "cveId": "CVE-2022-3065",
        "datePublished": "2022-09-02T18:15:12.000Z",
        "dateReserved": "2022-08-30T00:00:00.000Z",
        "dateUpdated": "2024-08-03T01:00:10.156Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2026-46642 (GCVE-0-2026-46642)

    Vulnerability from cvelistv5 – Published: 2026-06-10 17:42 – Updated: 2026-06-11 14:03
    VLAI
    Title
    draw.io: XSS via crafted cell label when opening a .drawio file
    Summary
    draw.io is a configurable diagramming and whiteboarding application. Prior to version 29.7.12, a crafted .drawio file can execute arbitrary JavaScript in the editor's origin when the file is opened. The vulnerability is not in the label sanitizer (which works correctly on the rendering path) but in a feature-detection routine in the Text Format panel that reads the raw cell label and assigns it to a detached element's innerHTML without sanitization. Browsers fire onerror for failed image loads even on detached elements, so an <img src=x onerror=...> payload in any cell label triggers script execution as soon as the cell is selected — which import does automatically. This issue has been patched in version 29.7.12.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    jgraph drawio Affected: < 29.7.12
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-46642",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-11T14:02:47.367642Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-11T14:03:34.537Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/jgraph/drawio/security/advisories/GHSA-fqhg-287p-c6vf"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "drawio",
              "vendor": "jgraph",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 29.7.12"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "draw.io is a configurable diagramming and whiteboarding application. Prior to version 29.7.12, a crafted .drawio file can execute arbitrary JavaScript in the editor\u0027s origin when the file is opened. The vulnerability is not in the label sanitizer (which works correctly on the rendering path) but in a feature-detection routine in the Text Format panel that reads the raw cell label and assigns it to a detached element\u0027s innerHTML without sanitization. Browsers fire onerror for failed image loads even on detached elements, so an \u003cimg src=x onerror=...\u003e payload in any cell label triggers script execution as soon as the cell is selected \u2014 which import does automatically. This issue has been patched in version 29.7.12."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.1,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-10T17:42:02.156Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/jgraph/drawio/security/advisories/GHSA-fqhg-287p-c6vf",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/jgraph/drawio/security/advisories/GHSA-fqhg-287p-c6vf"
            },
            {
              "name": "https://github.com/jgraph/drawio/releases/tag/v29.7.12",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/jgraph/drawio/releases/tag/v29.7.12"
            }
          ],
          "source": {
            "advisory": "GHSA-fqhg-287p-c6vf",
            "discovery": "UNKNOWN"
          },
          "title": "draw.io: XSS via crafted cell label when opening a .drawio file"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-46642",
        "datePublished": "2026-06-10T17:42:02.156Z",
        "dateReserved": "2026-05-15T20:11:54.584Z",
        "dateUpdated": "2026-06-11T14:03:34.537Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-42195 (GCVE-0-2026-42195)

    Vulnerability from cvelistv5 – Published: 2026-05-08 21:22 – Updated: 2026-05-13 17:47
    VLAI
    Title
    Unvalidated gitlab URL parameter redirects OAuth authorize step to attacker-controlled host
    Summary
    draw.io is a configurable diagramming and whiteboarding application. Prior to version 29.7.9, the draw.io client accepts a ?gitlab= URL parameter that overrides the GitLab server URL used during OAuth sign-in. A crafted link causes the user's click on draw.io's "Authorize in GitLab" dialog to open a popup on the attacker-controlled host instead of gitlab.com. This can lead to credential fishing and session state token exfiltration. This issue has been patched in version 29.7.9.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    Assigner
    Impacted products
    Vendor Product Version
    jgraph drawio Affected: < 29.7.9
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-42195",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-13T17:18:43.655474Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-13T17:47:31.482Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "drawio",
              "vendor": "jgraph",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 29.7.9"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "draw.io is a configurable diagramming and whiteboarding application. Prior to version 29.7.9, the draw.io client accepts a ?gitlab= URL parameter that overrides the GitLab server URL used during OAuth sign-in. A crafted link causes the user\u0027s click on draw.io\u0027s \"Authorize in GitLab\" dialog to open a popup on the attacker-controlled host instead of gitlab.com. This can lead to credential fishing and session state token exfiltration. This issue has been patched in version 29.7.9."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 3.4,
                "baseSeverity": "LOW",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-601",
                  "description": "CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-08T21:22:40.678Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/jgraph/drawio/security/advisories/GHSA-8x7j-m8px-7p8x",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/jgraph/drawio/security/advisories/GHSA-8x7j-m8px-7p8x"
            },
            {
              "name": "https://github.com/jgraph/drawio/issues/493",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/jgraph/drawio/issues/493"
            },
            {
              "name": "https://github.com/jgraph/drawio/releases/tag/v29.7.9",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/jgraph/drawio/releases/tag/v29.7.9"
            }
          ],
          "source": {
            "advisory": "GHSA-8x7j-m8px-7p8x",
            "discovery": "UNKNOWN"
          },
          "title": "Unvalidated gitlab URL parameter redirects OAuth authorize step to attacker-controlled host"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-42195",
        "datePublished": "2026-05-08T21:22:40.678Z",
        "dateReserved": "2026-04-25T01:53:21.584Z",
        "dateUpdated": "2026-05-13T17:47:31.482Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2023-3975 (GCVE-0-2023-3975)

    Vulnerability from cvelistv5 – Published: 2023-07-27 14:34 – Updated: 2024-10-15 15:32
    VLAI
    Title
    OS Command Injection in jgraph/drawio
    Summary
    OS Command Injection in GitHub repository jgraph/drawio prior to 21.5.0.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-78 - Improper Neutralization of Special Elements used in an OS Command
    Assigner
    Impacted products
    Vendor Product Version
    jgraph jgraph/drawio Affected: unspecified , < 21.5.0 (custom)
    Create a notification for this product.
    jgraph drawio Affected: 0 , < 21.5.0 (custom)
        cpe:2.3:a:jgraph:drawio:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T07:08:50.850Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://huntr.dev/bounties/4da96d20-78ac-462e-910c-a14db9062161"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/jgraph/drawio/commit/8ec95cb03e0a80cf908a282522ac1651306db340"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:jgraph:drawio:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "drawio",
                "vendor": "jgraph",
                "versions": [
                  {
                    "lessThan": "21.5.0",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-3975",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-15T15:03:26.147244Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-15T15:32:40.165Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "jgraph/drawio",
              "vendor": "jgraph",
              "versions": [
                {
                  "lessThan": "21.5.0",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "OS Command Injection in GitHub repository jgraph/drawio prior to 21.5.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.3,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-78",
                  "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-07-27T14:34:10.847Z",
            "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
            "shortName": "@huntrdev"
          },
          "references": [
            {
              "url": "https://huntr.dev/bounties/4da96d20-78ac-462e-910c-a14db9062161"
            },
            {
              "url": "https://github.com/jgraph/drawio/commit/8ec95cb03e0a80cf908a282522ac1651306db340"
            }
          ],
          "source": {
            "advisory": "4da96d20-78ac-462e-910c-a14db9062161",
            "discovery": "EXTERNAL"
          },
          "title": "OS Command Injection in jgraph/drawio"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "assignerShortName": "@huntrdev",
        "cveId": "CVE-2023-3975",
        "datePublished": "2023-07-27T14:34:10.847Z",
        "dateReserved": "2023-07-27T14:34:05.900Z",
        "dateUpdated": "2024-10-15T15:32:40.165Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-3974 (GCVE-0-2023-3974)

    Vulnerability from cvelistv5 – Published: 2023-07-27 14:33 – Updated: 2024-10-15 15:36
    VLAI
    Title
    OS Command Injection in jgraph/drawio
    Summary
    OS Command Injection in GitHub repository jgraph/drawio prior to 21.4.0.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-78 - Improper Neutralization of Special Elements used in an OS Command
    Assigner
    Impacted products
    Vendor Product Version
    jgraph jgraph/drawio Affected: unspecified , < 21.4.0 (custom)
    Create a notification for this product.
    jgraph drawio Affected: 0 , < 21.4.0 (custom)
        cpe:2.3:a:jgraph:drawio:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T07:08:50.876Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://huntr.dev/bounties/ce75aa04-e4d6-4e0a-9db0-ae84c46ae9e2"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/jgraph/drawio/commit/9d6532de36496e77d872d91b1947bb696607d623"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:jgraph:drawio:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "drawio",
                "vendor": "jgraph",
                "versions": [
                  {
                    "lessThan": "21.4.0",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-3974",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-15T15:03:43.684638Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-15T15:36:08.407Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "jgraph/drawio",
              "vendor": "jgraph",
              "versions": [
                {
                  "lessThan": "21.4.0",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "OS Command Injection in GitHub repository jgraph/drawio prior to 21.4.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.6,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-78",
                  "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-07-27T14:33:31.671Z",
            "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
            "shortName": "@huntrdev"
          },
          "references": [
            {
              "url": "https://huntr.dev/bounties/ce75aa04-e4d6-4e0a-9db0-ae84c46ae9e2"
            },
            {
              "url": "https://github.com/jgraph/drawio/commit/9d6532de36496e77d872d91b1947bb696607d623"
            }
          ],
          "source": {
            "advisory": "ce75aa04-e4d6-4e0a-9db0-ae84c46ae9e2",
            "discovery": "EXTERNAL"
          },
          "title": "OS Command Injection in jgraph/drawio"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "assignerShortName": "@huntrdev",
        "cveId": "CVE-2023-3974",
        "datePublished": "2023-07-27T14:33:31.671Z",
        "dateReserved": "2023-07-27T14:33:26.406Z",
        "dateUpdated": "2024-10-15T15:36:08.407Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-3973 (GCVE-0-2023-3973)

    Vulnerability from cvelistv5 – Published: 2023-07-27 14:33 – Updated: 2024-10-15 15:36
    VLAI
    Title
    Cross-site Scripting (XSS) - Reflected in jgraph/drawio
    Summary
    Cross-site Scripting (XSS) - Reflected in GitHub repository jgraph/drawio prior to 21.6.3.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    jgraph jgraph/drawio Affected: unspecified , < 21.6.3 (custom)
    Create a notification for this product.
    jgraph drawio Affected: 0 , < 21.6.3 (custom)
        cpe:2.3:a:jgraph:drawio:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T07:08:50.699Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://huntr.dev/bounties/4c1c5db5-210f-4d7e-8380-b95f88fdb78d"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/jgraph/drawio/commit/1db2c2c653aa245d175d30c210239e3946bfcb95"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:jgraph:drawio:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "drawio",
                "vendor": "jgraph",
                "versions": [
                  {
                    "lessThan": "21.6.3",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-3973",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-15T15:04:11.770958Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-15T15:36:46.194Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "jgraph/drawio",
              "vendor": "jgraph",
              "versions": [
                {
                  "lessThan": "21.6.3",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Cross-site Scripting (XSS) - Reflected in GitHub repository jgraph/drawio prior to 21.6.3."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 9.6,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-07-27T14:33:11.271Z",
            "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
            "shortName": "@huntrdev"
          },
          "references": [
            {
              "url": "https://huntr.dev/bounties/4c1c5db5-210f-4d7e-8380-b95f88fdb78d"
            },
            {
              "url": "https://github.com/jgraph/drawio/commit/1db2c2c653aa245d175d30c210239e3946bfcb95"
            }
          ],
          "source": {
            "advisory": "4c1c5db5-210f-4d7e-8380-b95f88fdb78d",
            "discovery": "EXTERNAL"
          },
          "title": "Cross-site Scripting (XSS) - Reflected in jgraph/drawio"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "assignerShortName": "@huntrdev",
        "cveId": "CVE-2023-3973",
        "datePublished": "2023-07-27T14:33:11.271Z",
        "dateReserved": "2023-07-27T14:32:56.314Z",
        "dateUpdated": "2024-10-15T15:36:46.194Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-3398 (GCVE-0-2023-3398)

    Vulnerability from cvelistv5 – Published: 2023-06-26 10:05 – Updated: 2024-12-03 18:47
    VLAI
    Title
    Denial of Service in jgraph/drawio
    Summary
    Denial of Service in GitHub repository jgraph/drawio prior to 18.1.3.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    Impacted products
    Vendor Product Version
    jgraph jgraph/drawio Affected: unspecified , < 18.1.3 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T06:55:03.225Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://huntr.dev/bounties/aa087215-80e1-433d-b870-650705630e69"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/jgraph/drawio/commit/064729fec4262f9373d9fdcafda0be47cd18dd50"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-3398",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-12-03T18:44:34.481992Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-12-03T18:47:29.317Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "jgraph/drawio",
              "vendor": "jgraph",
              "versions": [
                {
                  "lessThan": "18.1.3",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Denial of Service in GitHub repository jgraph/drawio prior to 18.1.3."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "CWE-400 Uncontrolled Resource Consumption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-06-26T10:05:09.278Z",
            "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
            "shortName": "@huntrdev"
          },
          "references": [
            {
              "url": "https://huntr.dev/bounties/aa087215-80e1-433d-b870-650705630e69"
            },
            {
              "url": "https://github.com/jgraph/drawio/commit/064729fec4262f9373d9fdcafda0be47cd18dd50"
            }
          ],
          "source": {
            "advisory": "aa087215-80e1-433d-b870-650705630e69",
            "discovery": "EXTERNAL"
          },
          "title": "Denial of Service in jgraph/drawio"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "assignerShortName": "@huntrdev",
        "cveId": "CVE-2023-3398",
        "datePublished": "2023-06-26T10:05:09.278Z",
        "dateReserved": "2023-06-26T10:04:56.783Z",
        "dateUpdated": "2024-12-03T18:47:29.317Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-3026 (GCVE-0-2023-3026)

    Vulnerability from cvelistv5 – Published: 2023-06-01 00:00 – Updated: 2025-01-10 18:55
    VLAI
    Title
    Cross-site Scripting (XSS) - Stored in jgraph/drawio
    Summary
    Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 21.2.8.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    jgraph jgraph/drawio Affected: unspecified , < 21.2.8 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T06:41:04.335Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://huntr.dev/bounties/9bbcc127-1e69-4c88-b318-d2afef48eff0"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/jgraph/drawio/commit/c7ac634055c3edfabc7729fc4298a5ab7bfbf384"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-3026",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-10T18:55:51.968547Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-01-10T18:55:55.645Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://huntr.com/bounties/9bbcc127-1e69-4c88-b318-d2afef48eff0"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "jgraph/drawio",
              "vendor": "jgraph",
              "versions": [
                {
                  "lessThan": "21.2.8",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 21.2.8."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-06-01T00:00:00.000Z",
            "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
            "shortName": "@huntrdev"
          },
          "references": [
            {
              "url": "https://huntr.dev/bounties/9bbcc127-1e69-4c88-b318-d2afef48eff0"
            },
            {
              "url": "https://github.com/jgraph/drawio/commit/c7ac634055c3edfabc7729fc4298a5ab7bfbf384"
            }
          ],
          "source": {
            "advisory": "9bbcc127-1e69-4c88-b318-d2afef48eff0",
            "discovery": "EXTERNAL"
          },
          "title": "Cross-site Scripting (XSS) - Stored in jgraph/drawio"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "assignerShortName": "@huntrdev",
        "cveId": "CVE-2023-3026",
        "datePublished": "2023-06-01T00:00:00.000Z",
        "dateReserved": "2023-06-01T00:00:00.000Z",
        "dateUpdated": "2025-01-10T18:55:55.645Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-3873 (GCVE-0-2022-3873)

    Vulnerability from cvelistv5 – Published: 2022-11-07 00:00 – Updated: 2025-05-01 17:59
    VLAI
    Title
    Cross-site Scripting (XSS) - DOM in jgraph/drawio
    Summary
    Cross-site Scripting (XSS) - DOM in GitHub repository jgraph/drawio prior to 20.5.2.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    jgraph jgraph/drawio Affected: unspecified , < 20.5.2 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T01:20:58.575Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://huntr.dev/bounties/52a4085e-b687-489b-9ed6-f0987583ed77"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/jgraph/drawio/commit/d37894baf125430e85840c2635563b10d1a6523d"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-3873",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-01T17:55:24.006232Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-01T17:59:19.909Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "jgraph/drawio",
              "vendor": "jgraph",
              "versions": [
                {
                  "lessThan": "20.5.2",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Cross-site Scripting (XSS) - DOM in GitHub repository jgraph/drawio prior to 20.5.2."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-11-07T00:00:00.000Z",
            "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
            "shortName": "@huntrdev"
          },
          "references": [
            {
              "url": "https://huntr.dev/bounties/52a4085e-b687-489b-9ed6-f0987583ed77"
            },
            {
              "url": "https://github.com/jgraph/drawio/commit/d37894baf125430e85840c2635563b10d1a6523d"
            }
          ],
          "source": {
            "advisory": "52a4085e-b687-489b-9ed6-f0987583ed77",
            "discovery": "EXTERNAL"
          },
          "title": "Cross-site Scripting (XSS) - DOM in jgraph/drawio"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "assignerShortName": "@huntrdev",
        "cveId": "CVE-2022-3873",
        "datePublished": "2022-11-07T00:00:00.000Z",
        "dateReserved": "2022-11-07T00:00:00.000Z",
        "dateUpdated": "2025-05-01T17:59:19.909Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-40440 (GCVE-0-2022-40440)

    Vulnerability from cvelistv5 – Published: 2022-10-11 00:00 – Updated: 2024-08-03 12:21
    VLAI
    Summary
    mxGraph v4.2.2 was discovered to contain a cross-site scripting (XSS) vulnerability via the setTooltips() function.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T12:21:45.907Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "http://mxgraph.com"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/jgraph/mxgraph"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/SxB64/mxgraph-xss-vul/wiki"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "mxGraph v4.2.2 was discovered to contain a cross-site scripting (XSS) vulnerability via the setTooltips() function."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-10-11T00:00:00.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "http://mxgraph.com"
            },
            {
              "url": "https://github.com/jgraph/mxgraph"
            },
            {
              "url": "https://github.com/SxB64/mxgraph-xss-vul/wiki"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2022-40440",
        "datePublished": "2022-10-11T00:00:00.000Z",
        "dateReserved": "2022-09-11T00:00:00.000Z",
        "dateUpdated": "2024-08-03T12:21:45.907Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-3223 (GCVE-0-2022-3223)

    Vulnerability from cvelistv5 – Published: 2022-09-16 10:50 – Updated: 2024-08-03 01:00
    VLAI
    Title
    Cross-site Scripting (XSS) - Stored in jgraph/drawio
    Summary
    Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 20.3.1.
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    jgraph jgraph/drawio Affected: unspecified , < 20.3.1 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T01:00:10.759Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://huntr.dev/bounties/125791b6-3a68-4235-8866-6bc3a52332ba"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/jgraph/drawio/commit/ea012baba6fb2e903797fa6306833ca4f31ab361"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "jgraph/drawio",
              "vendor": "jgraph",
              "versions": [
                {
                  "lessThan": "20.3.1",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 20.3.1."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-09-16T10:50:12.000Z",
            "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
            "shortName": "@huntrdev"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://huntr.dev/bounties/125791b6-3a68-4235-8866-6bc3a52332ba"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/jgraph/drawio/commit/ea012baba6fb2e903797fa6306833ca4f31ab361"
            }
          ],
          "source": {
            "advisory": "125791b6-3a68-4235-8866-6bc3a52332ba",
            "discovery": "EXTERNAL"
          },
          "title": "Cross-site Scripting (XSS) - Stored in jgraph/drawio",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@huntr.dev",
              "ID": "CVE-2022-3223",
              "STATE": "PUBLIC",
              "TITLE": "Cross-site Scripting (XSS) - Stored in jgraph/drawio"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "jgraph/drawio",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "20.3.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "jgraph"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 20.3.1."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://huntr.dev/bounties/125791b6-3a68-4235-8866-6bc3a52332ba",
                  "refsource": "CONFIRM",
                  "url": "https://huntr.dev/bounties/125791b6-3a68-4235-8866-6bc3a52332ba"
                },
                {
                  "name": "https://github.com/jgraph/drawio/commit/ea012baba6fb2e903797fa6306833ca4f31ab361",
                  "refsource": "MISC",
                  "url": "https://github.com/jgraph/drawio/commit/ea012baba6fb2e903797fa6306833ca4f31ab361"
                }
              ]
            },
            "source": {
              "advisory": "125791b6-3a68-4235-8866-6bc3a52332ba",
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "assignerShortName": "@huntrdev",
        "cveId": "CVE-2022-3223",
        "datePublished": "2022-09-16T10:50:12.000Z",
        "dateReserved": "2022-09-15T00:00:00.000Z",
        "dateUpdated": "2024-08-03T01:00:10.759Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-3133 (GCVE-0-2022-3133)

    Vulnerability from cvelistv5 – Published: 2022-09-09 17:55 – Updated: 2024-08-03 01:00
    VLAI
    Title
    OS Command Injection in jgraph/drawio
    Summary
    OS Command Injection in GitHub repository jgraph/drawio prior to 20.3.0.
    CWE
    • CWE-78 - Improper Neutralization of Special Elements used in an OS Command
    Assigner
    References
    Impacted products
    Vendor Product Version
    jgraph jgraph/drawio Affected: unspecified , < 20.3.0 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T01:00:10.491Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://huntr.dev/bounties/2d93052f-efc6-4647-9a6d-8b08dc251223"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/jgraph/drawio/commit/8f3f95a05b701175b639ba9572dc4e0fb7c46b02"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "jgraph/drawio",
              "vendor": "jgraph",
              "versions": [
                {
                  "lessThan": "20.3.0",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "OS Command Injection in GitHub repository jgraph/drawio prior to 20.3.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "HIGH",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 7,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-78",
                  "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-09-09T17:55:09.000Z",
            "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
            "shortName": "@huntrdev"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://huntr.dev/bounties/2d93052f-efc6-4647-9a6d-8b08dc251223"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/jgraph/drawio/commit/8f3f95a05b701175b639ba9572dc4e0fb7c46b02"
            }
          ],
          "source": {
            "advisory": "2d93052f-efc6-4647-9a6d-8b08dc251223",
            "discovery": "EXTERNAL"
          },
          "title": "OS Command Injection in jgraph/drawio",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@huntr.dev",
              "ID": "CVE-2022-3133",
              "STATE": "PUBLIC",
              "TITLE": "OS Command Injection in jgraph/drawio"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "jgraph/drawio",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "20.3.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "jgraph"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "OS Command Injection in GitHub repository jgraph/drawio prior to 20.3.0."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "HIGH",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 7,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-78 Improper Neutralization of Special Elements used in an OS Command"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://huntr.dev/bounties/2d93052f-efc6-4647-9a6d-8b08dc251223",
                  "refsource": "CONFIRM",
                  "url": "https://huntr.dev/bounties/2d93052f-efc6-4647-9a6d-8b08dc251223"
                },
                {
                  "name": "https://github.com/jgraph/drawio/commit/8f3f95a05b701175b639ba9572dc4e0fb7c46b02",
                  "refsource": "MISC",
                  "url": "https://github.com/jgraph/drawio/commit/8f3f95a05b701175b639ba9572dc4e0fb7c46b02"
                }
              ]
            },
            "source": {
              "advisory": "2d93052f-efc6-4647-9a6d-8b08dc251223",
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "assignerShortName": "@huntrdev",
        "cveId": "CVE-2022-3133",
        "datePublished": "2022-09-09T17:55:09.000Z",
        "dateReserved": "2022-09-05T00:00:00.000Z",
        "dateUpdated": "2024-08-03T01:00:10.491Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-3138 (GCVE-0-2022-3138)

    Vulnerability from cvelistv5 – Published: 2022-09-08 09:30 – Updated: 2024-08-03 01:00
    VLAI
    Title
    Cross-site Scripting (XSS) - Generic in jgraph/drawio
    Summary
    Cross-site Scripting (XSS) - Generic in GitHub repository jgraph/drawio prior to 20.3.0.
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    jgraph jgraph/drawio Affected: unspecified , < 20.3.0 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T01:00:10.521Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/jgraph/drawio/commit/b5dfeb238369d664fb06a95e2179236b0e75f366"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://huntr.dev/bounties/1816a207-6abf-408c-b19a-e497e24172b3"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "jgraph/drawio",
              "vendor": "jgraph",
              "versions": [
                {
                  "lessThan": "20.3.0",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Cross-site Scripting (XSS) - Generic in GitHub repository jgraph/drawio prior to 20.3.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-09-08T09:30:13.000Z",
            "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
            "shortName": "@huntrdev"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/jgraph/drawio/commit/b5dfeb238369d664fb06a95e2179236b0e75f366"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://huntr.dev/bounties/1816a207-6abf-408c-b19a-e497e24172b3"
            }
          ],
          "source": {
            "advisory": "1816a207-6abf-408c-b19a-e497e24172b3",
            "discovery": "EXTERNAL"
          },
          "title": "Cross-site Scripting (XSS) - Generic in jgraph/drawio",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@huntr.dev",
              "ID": "CVE-2022-3138",
              "STATE": "PUBLIC",
              "TITLE": "Cross-site Scripting (XSS) - Generic in jgraph/drawio"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "jgraph/drawio",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "20.3.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "jgraph"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Cross-site Scripting (XSS) - Generic in GitHub repository jgraph/drawio prior to 20.3.0."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/jgraph/drawio/commit/b5dfeb238369d664fb06a95e2179236b0e75f366",
                  "refsource": "MISC",
                  "url": "https://github.com/jgraph/drawio/commit/b5dfeb238369d664fb06a95e2179236b0e75f366"
                },
                {
                  "name": "https://huntr.dev/bounties/1816a207-6abf-408c-b19a-e497e24172b3",
                  "refsource": "CONFIRM",
                  "url": "https://huntr.dev/bounties/1816a207-6abf-408c-b19a-e497e24172b3"
                }
              ]
            },
            "source": {
              "advisory": "1816a207-6abf-408c-b19a-e497e24172b3",
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "assignerShortName": "@huntrdev",
        "cveId": "CVE-2022-3138",
        "datePublished": "2022-09-08T09:30:14.000Z",
        "dateReserved": "2022-09-06T00:00:00.000Z",
        "dateUpdated": "2024-08-03T01:00:10.521Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-3148 (GCVE-0-2022-3148)

    Vulnerability from cvelistv5 – Published: 2022-09-08 09:25 – Updated: 2024-08-03 01:00
    VLAI
    Title
    Cross-site Scripting (XSS) - Generic in jgraph/drawio
    Summary
    Cross-site Scripting (XSS) - Generic in GitHub repository jgraph/drawio prior to 20.3.0.
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    jgraph jgraph/drawio Affected: unspecified , < 20.3.0 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T01:00:10.577Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://huntr.dev/bounties/1f730015-b4d0-4f84-8cac-9cf1e57a091a"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/jgraph/drawio/commit/b5dfeb238369d664fb06a95e2179236b0e75f366"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "jgraph/drawio",
              "vendor": "jgraph",
              "versions": [
                {
                  "lessThan": "20.3.0",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Cross-site Scripting (XSS) - Generic in GitHub repository jgraph/drawio prior to 20.3.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-09-08T09:25:09.000Z",
            "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
            "shortName": "@huntrdev"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://huntr.dev/bounties/1f730015-b4d0-4f84-8cac-9cf1e57a091a"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/jgraph/drawio/commit/b5dfeb238369d664fb06a95e2179236b0e75f366"
            }
          ],
          "source": {
            "advisory": "1f730015-b4d0-4f84-8cac-9cf1e57a091a",
            "discovery": "EXTERNAL"
          },
          "title": "Cross-site Scripting (XSS) - Generic in jgraph/drawio",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@huntr.dev",
              "ID": "CVE-2022-3148",
              "STATE": "PUBLIC",
              "TITLE": "Cross-site Scripting (XSS) - Generic in jgraph/drawio"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "jgraph/drawio",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "20.3.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "jgraph"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Cross-site Scripting (XSS) - Generic in GitHub repository jgraph/drawio prior to 20.3.0."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://huntr.dev/bounties/1f730015-b4d0-4f84-8cac-9cf1e57a091a",
                  "refsource": "CONFIRM",
                  "url": "https://huntr.dev/bounties/1f730015-b4d0-4f84-8cac-9cf1e57a091a"
                },
                {
                  "name": "https://github.com/jgraph/drawio/commit/b5dfeb238369d664fb06a95e2179236b0e75f366",
                  "refsource": "MISC",
                  "url": "https://github.com/jgraph/drawio/commit/b5dfeb238369d664fb06a95e2179236b0e75f366"
                }
              ]
            },
            "source": {
              "advisory": "1f730015-b4d0-4f84-8cac-9cf1e57a091a",
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "assignerShortName": "@huntrdev",
        "cveId": "CVE-2022-3148",
        "datePublished": "2022-09-08T09:25:09.000Z",
        "dateReserved": "2022-09-07T00:00:00.000Z",
        "dateUpdated": "2024-08-03T01:00:10.577Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-3127 (GCVE-0-2022-3127)

    Vulnerability from cvelistv5 – Published: 2022-09-05 12:50 – Updated: 2024-08-03 01:00
    VLAI
    Title
    Cross-site Scripting (XSS) - Stored in jgraph/drawio
    Summary
    Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 20.2.8.
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    jgraph jgraph/drawio Affected: unspecified , < 20.2.8 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T01:00:10.534Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/jgraph/drawio/commit/59887e45b36f06c8dd4919a32bacd994d9f084da"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://huntr.dev/bounties/6cea89d1-39dc-4023-82fa-821f566b841a"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "jgraph/drawio",
              "vendor": "jgraph",
              "versions": [
                {
                  "lessThan": "20.2.8",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 20.2.8."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 5.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-09-05T12:50:09.000Z",
            "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
            "shortName": "@huntrdev"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/jgraph/drawio/commit/59887e45b36f06c8dd4919a32bacd994d9f084da"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://huntr.dev/bounties/6cea89d1-39dc-4023-82fa-821f566b841a"
            }
          ],
          "source": {
            "advisory": "6cea89d1-39dc-4023-82fa-821f566b841a",
            "discovery": "EXTERNAL"
          },
          "title": "Cross-site Scripting (XSS) - Stored in jgraph/drawio",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@huntr.dev",
              "ID": "CVE-2022-3127",
              "STATE": "PUBLIC",
              "TITLE": "Cross-site Scripting (XSS) - Stored in jgraph/drawio"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "jgraph/drawio",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "20.2.8"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "jgraph"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 20.2.8."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 5.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/jgraph/drawio/commit/59887e45b36f06c8dd4919a32bacd994d9f084da",
                  "refsource": "MISC",
                  "url": "https://github.com/jgraph/drawio/commit/59887e45b36f06c8dd4919a32bacd994d9f084da"
                },
                {
                  "name": "https://huntr.dev/bounties/6cea89d1-39dc-4023-82fa-821f566b841a",
                  "refsource": "CONFIRM",
                  "url": "https://huntr.dev/bounties/6cea89d1-39dc-4023-82fa-821f566b841a"
                }
              ]
            },
            "source": {
              "advisory": "6cea89d1-39dc-4023-82fa-821f566b841a",
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "assignerShortName": "@huntrdev",
        "cveId": "CVE-2022-3127",
        "datePublished": "2022-09-05T12:50:09.000Z",
        "dateReserved": "2022-09-05T00:00:00.000Z",
        "dateUpdated": "2024-08-03T01:00:10.534Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-3065 (GCVE-0-2022-3065)

    Vulnerability from cvelistv5 – Published: 2022-09-02 18:15 – Updated: 2024-08-03 01:00
    VLAI
    Title
    Improper Access Control in jgraph/drawio
    Summary
    Improper Access Control in GitHub repository jgraph/drawio prior to 20.2.8.
    CWE
    • CWE-284 - Improper Access Control
    Assigner
    References
    Impacted products
    Vendor Product Version
    jgraph jgraph/drawio Affected: unspecified , < 20.2.8 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T01:00:10.156Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://huntr.dev/bounties/5f3bc4b6-1d53-46b7-a23d-70f5faaf0c76"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/jgraph/drawio/commit/59887e45b36f06c8dd4919a32bacd994d9f084da"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "jgraph/drawio",
              "vendor": "jgraph",
              "versions": [
                {
                  "lessThan": "20.2.8",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Improper Access Control in GitHub repository jgraph/drawio prior to 20.2.8."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "CWE-284 Improper Access Control",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-09-02T18:15:12.000Z",
            "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
            "shortName": "@huntrdev"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://huntr.dev/bounties/5f3bc4b6-1d53-46b7-a23d-70f5faaf0c76"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/jgraph/drawio/commit/59887e45b36f06c8dd4919a32bacd994d9f084da"
            }
          ],
          "source": {
            "advisory": "5f3bc4b6-1d53-46b7-a23d-70f5faaf0c76",
            "discovery": "EXTERNAL"
          },
          "title": "Improper Access Control in jgraph/drawio",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@huntr.dev",
              "ID": "CVE-2022-3065",
              "STATE": "PUBLIC",
              "TITLE": "Improper Access Control in jgraph/drawio"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "jgraph/drawio",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "20.2.8"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "jgraph"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Improper Access Control in GitHub repository jgraph/drawio prior to 20.2.8."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-284 Improper Access Control"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://huntr.dev/bounties/5f3bc4b6-1d53-46b7-a23d-70f5faaf0c76",
                  "refsource": "CONFIRM",
                  "url": "https://huntr.dev/bounties/5f3bc4b6-1d53-46b7-a23d-70f5faaf0c76"
                },
                {
                  "name": "https://github.com/jgraph/drawio/commit/59887e45b36f06c8dd4919a32bacd994d9f084da",
                  "refsource": "MISC",
                  "url": "https://github.com/jgraph/drawio/commit/59887e45b36f06c8dd4919a32bacd994d9f084da"
                }
              ]
            },
            "source": {
              "advisory": "5f3bc4b6-1d53-46b7-a23d-70f5faaf0c76",
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "assignerShortName": "@huntrdev",
        "cveId": "CVE-2022-3065",
        "datePublished": "2022-09-02T18:15:12.000Z",
        "dateReserved": "2022-08-30T00:00:00.000Z",
        "dateUpdated": "2024-08-03T01:00:10.156Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }