Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
52 vulnerabilities found for jgraph/drawio by jgraph
CVE-2023-3975 (GCVE-0-2023-3975)
Vulnerability from nvd – Published: 2023-07-27 14:34 – Updated: 2024-10-15 15:32
VLAI
Title
OS Command Injection in jgraph/drawio
Summary
OS Command Injection in GitHub repository jgraph/drawio prior to 21.5.0.
Severity
8.3 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| jgraph | jgraph/drawio |
Affected:
unspecified , < 21.5.0
(custom)
|
|
| jgraph | drawio |
Affected:
0 , < 21.5.0
(custom)
cpe:2.3:a:jgraph:drawio:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:08:50.850Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.dev/bounties/4da96d20-78ac-462e-910c-a14db9062161"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/jgraph/drawio/commit/8ec95cb03e0a80cf908a282522ac1651306db340"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:jgraph:drawio:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "drawio",
"vendor": "jgraph",
"versions": [
{
"lessThan": "21.5.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-3975",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-15T15:03:26.147244Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-15T15:32:40.165Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "jgraph/drawio",
"vendor": "jgraph",
"versions": [
{
"lessThan": "21.5.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OS Command Injection in GitHub repository jgraph/drawio prior to 21.5.0."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-27T14:34:10.847Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"url": "https://huntr.dev/bounties/4da96d20-78ac-462e-910c-a14db9062161"
},
{
"url": "https://github.com/jgraph/drawio/commit/8ec95cb03e0a80cf908a282522ac1651306db340"
}
],
"source": {
"advisory": "4da96d20-78ac-462e-910c-a14db9062161",
"discovery": "EXTERNAL"
},
"title": "OS Command Injection in jgraph/drawio"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2023-3975",
"datePublished": "2023-07-27T14:34:10.847Z",
"dateReserved": "2023-07-27T14:34:05.900Z",
"dateUpdated": "2024-10-15T15:32:40.165Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-3974 (GCVE-0-2023-3974)
Vulnerability from nvd – Published: 2023-07-27 14:33 – Updated: 2024-10-15 15:36
VLAI
Title
OS Command Injection in jgraph/drawio
Summary
OS Command Injection in GitHub repository jgraph/drawio prior to 21.4.0.
Severity
9.6 (Critical)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| jgraph | jgraph/drawio |
Affected:
unspecified , < 21.4.0
(custom)
|
|
| jgraph | drawio |
Affected:
0 , < 21.4.0
(custom)
cpe:2.3:a:jgraph:drawio:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:08:50.876Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.dev/bounties/ce75aa04-e4d6-4e0a-9db0-ae84c46ae9e2"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/jgraph/drawio/commit/9d6532de36496e77d872d91b1947bb696607d623"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:jgraph:drawio:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "drawio",
"vendor": "jgraph",
"versions": [
{
"lessThan": "21.4.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-3974",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-15T15:03:43.684638Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-15T15:36:08.407Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "jgraph/drawio",
"vendor": "jgraph",
"versions": [
{
"lessThan": "21.4.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OS Command Injection in GitHub repository jgraph/drawio prior to 21.4.0."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-27T14:33:31.671Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"url": "https://huntr.dev/bounties/ce75aa04-e4d6-4e0a-9db0-ae84c46ae9e2"
},
{
"url": "https://github.com/jgraph/drawio/commit/9d6532de36496e77d872d91b1947bb696607d623"
}
],
"source": {
"advisory": "ce75aa04-e4d6-4e0a-9db0-ae84c46ae9e2",
"discovery": "EXTERNAL"
},
"title": "OS Command Injection in jgraph/drawio"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2023-3974",
"datePublished": "2023-07-27T14:33:31.671Z",
"dateReserved": "2023-07-27T14:33:26.406Z",
"dateUpdated": "2024-10-15T15:36:08.407Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-3973 (GCVE-0-2023-3973)
Vulnerability from nvd – Published: 2023-07-27 14:33 – Updated: 2024-10-15 15:36
VLAI
Title
Cross-site Scripting (XSS) - Reflected in jgraph/drawio
Summary
Cross-site Scripting (XSS) - Reflected in GitHub repository jgraph/drawio prior to 21.6.3.
Severity
9.6 (Critical)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| jgraph | jgraph/drawio |
Affected:
unspecified , < 21.6.3
(custom)
|
|
| jgraph | drawio |
Affected:
0 , < 21.6.3
(custom)
cpe:2.3:a:jgraph:drawio:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:08:50.699Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.dev/bounties/4c1c5db5-210f-4d7e-8380-b95f88fdb78d"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/jgraph/drawio/commit/1db2c2c653aa245d175d30c210239e3946bfcb95"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:jgraph:drawio:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "drawio",
"vendor": "jgraph",
"versions": [
{
"lessThan": "21.6.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-3973",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-15T15:04:11.770958Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-15T15:36:46.194Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "jgraph/drawio",
"vendor": "jgraph",
"versions": [
{
"lessThan": "21.6.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site Scripting (XSS) - Reflected in GitHub repository jgraph/drawio prior to 21.6.3."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-27T14:33:11.271Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"url": "https://huntr.dev/bounties/4c1c5db5-210f-4d7e-8380-b95f88fdb78d"
},
{
"url": "https://github.com/jgraph/drawio/commit/1db2c2c653aa245d175d30c210239e3946bfcb95"
}
],
"source": {
"advisory": "4c1c5db5-210f-4d7e-8380-b95f88fdb78d",
"discovery": "EXTERNAL"
},
"title": "Cross-site Scripting (XSS) - Reflected in jgraph/drawio"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2023-3973",
"datePublished": "2023-07-27T14:33:11.271Z",
"dateReserved": "2023-07-27T14:32:56.314Z",
"dateUpdated": "2024-10-15T15:36:46.194Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-3398 (GCVE-0-2023-3398)
Vulnerability from nvd – Published: 2023-06-26 10:05 – Updated: 2024-12-03 18:47
VLAI
Title
Denial of Service in jgraph/drawio
Summary
Denial of Service in GitHub repository jgraph/drawio prior to 18.1.3.
Severity
5.3 (Medium)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| jgraph | jgraph/drawio |
Affected:
unspecified , < 18.1.3
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:55:03.225Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.dev/bounties/aa087215-80e1-433d-b870-650705630e69"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/jgraph/drawio/commit/064729fec4262f9373d9fdcafda0be47cd18dd50"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-3398",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-03T18:44:34.481992Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-03T18:47:29.317Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "jgraph/drawio",
"vendor": "jgraph",
"versions": [
{
"lessThan": "18.1.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Denial of Service in GitHub repository jgraph/drawio prior to 18.1.3."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-26T10:05:09.278Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"url": "https://huntr.dev/bounties/aa087215-80e1-433d-b870-650705630e69"
},
{
"url": "https://github.com/jgraph/drawio/commit/064729fec4262f9373d9fdcafda0be47cd18dd50"
}
],
"source": {
"advisory": "aa087215-80e1-433d-b870-650705630e69",
"discovery": "EXTERNAL"
},
"title": "Denial of Service in jgraph/drawio"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2023-3398",
"datePublished": "2023-06-26T10:05:09.278Z",
"dateReserved": "2023-06-26T10:04:56.783Z",
"dateUpdated": "2024-12-03T18:47:29.317Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-3026 (GCVE-0-2023-3026)
Vulnerability from nvd – Published: 2023-06-01 00:00 – Updated: 2025-01-10 18:55
VLAI
Title
Cross-site Scripting (XSS) - Stored in jgraph/drawio
Summary
Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 21.2.8.
Severity
6.5 (Medium)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| jgraph | jgraph/drawio |
Affected:
unspecified , < 21.2.8
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:41:04.335Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.dev/bounties/9bbcc127-1e69-4c88-b318-d2afef48eff0"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/jgraph/drawio/commit/c7ac634055c3edfabc7729fc4298a5ab7bfbf384"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-3026",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-10T18:55:51.968547Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-10T18:55:55.645Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://huntr.com/bounties/9bbcc127-1e69-4c88-b318-d2afef48eff0"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "jgraph/drawio",
"vendor": "jgraph",
"versions": [
{
"lessThan": "21.2.8",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 21.2.8."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-01T00:00:00.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"url": "https://huntr.dev/bounties/9bbcc127-1e69-4c88-b318-d2afef48eff0"
},
{
"url": "https://github.com/jgraph/drawio/commit/c7ac634055c3edfabc7729fc4298a5ab7bfbf384"
}
],
"source": {
"advisory": "9bbcc127-1e69-4c88-b318-d2afef48eff0",
"discovery": "EXTERNAL"
},
"title": "Cross-site Scripting (XSS) - Stored in jgraph/drawio"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2023-3026",
"datePublished": "2023-06-01T00:00:00.000Z",
"dateReserved": "2023-06-01T00:00:00.000Z",
"dateUpdated": "2025-01-10T18:55:55.645Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-3873 (GCVE-0-2022-3873)
Vulnerability from nvd – Published: 2022-11-07 00:00 – Updated: 2025-05-01 17:59
VLAI
Title
Cross-site Scripting (XSS) - DOM in jgraph/drawio
Summary
Cross-site Scripting (XSS) - DOM in GitHub repository jgraph/drawio prior to 20.5.2.
Severity
6.5 (Medium)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| jgraph | jgraph/drawio |
Affected:
unspecified , < 20.5.2
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:20:58.575Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.dev/bounties/52a4085e-b687-489b-9ed6-f0987583ed77"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/jgraph/drawio/commit/d37894baf125430e85840c2635563b10d1a6523d"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-3873",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-01T17:55:24.006232Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-01T17:59:19.909Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "jgraph/drawio",
"vendor": "jgraph",
"versions": [
{
"lessThan": "20.5.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site Scripting (XSS) - DOM in GitHub repository jgraph/drawio prior to 20.5.2."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-07T00:00:00.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"url": "https://huntr.dev/bounties/52a4085e-b687-489b-9ed6-f0987583ed77"
},
{
"url": "https://github.com/jgraph/drawio/commit/d37894baf125430e85840c2635563b10d1a6523d"
}
],
"source": {
"advisory": "52a4085e-b687-489b-9ed6-f0987583ed77",
"discovery": "EXTERNAL"
},
"title": "Cross-site Scripting (XSS) - DOM in jgraph/drawio"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-3873",
"datePublished": "2022-11-07T00:00:00.000Z",
"dateReserved": "2022-11-07T00:00:00.000Z",
"dateUpdated": "2025-05-01T17:59:19.909Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-3223 (GCVE-0-2022-3223)
Vulnerability from nvd – Published: 2022-09-16 10:50 – Updated: 2024-08-03 01:00
VLAI
Title
Cross-site Scripting (XSS) - Stored in jgraph/drawio
Summary
Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 20.3.1.
Severity
4.3 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://huntr.dev/bounties/125791b6-3a68-4235-886… | x_refsource_CONFIRM |
| https://github.com/jgraph/drawio/commit/ea012baba… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| jgraph | jgraph/drawio |
Affected:
unspecified , < 20.3.1
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:00:10.759Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/125791b6-3a68-4235-8866-6bc3a52332ba"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/jgraph/drawio/commit/ea012baba6fb2e903797fa6306833ca4f31ab361"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "jgraph/drawio",
"vendor": "jgraph",
"versions": [
{
"lessThan": "20.3.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 20.3.1."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-16T10:50:12.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/125791b6-3a68-4235-8866-6bc3a52332ba"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jgraph/drawio/commit/ea012baba6fb2e903797fa6306833ca4f31ab361"
}
],
"source": {
"advisory": "125791b6-3a68-4235-8866-6bc3a52332ba",
"discovery": "EXTERNAL"
},
"title": "Cross-site Scripting (XSS) - Stored in jgraph/drawio",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-3223",
"STATE": "PUBLIC",
"TITLE": "Cross-site Scripting (XSS) - Stored in jgraph/drawio"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "jgraph/drawio",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "20.3.1"
}
]
}
}
]
},
"vendor_name": "jgraph"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 20.3.1."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/125791b6-3a68-4235-8866-6bc3a52332ba",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/125791b6-3a68-4235-8866-6bc3a52332ba"
},
{
"name": "https://github.com/jgraph/drawio/commit/ea012baba6fb2e903797fa6306833ca4f31ab361",
"refsource": "MISC",
"url": "https://github.com/jgraph/drawio/commit/ea012baba6fb2e903797fa6306833ca4f31ab361"
}
]
},
"source": {
"advisory": "125791b6-3a68-4235-8866-6bc3a52332ba",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-3223",
"datePublished": "2022-09-16T10:50:12.000Z",
"dateReserved": "2022-09-15T00:00:00.000Z",
"dateUpdated": "2024-08-03T01:00:10.759Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-3133 (GCVE-0-2022-3133)
Vulnerability from nvd – Published: 2022-09-09 17:55 – Updated: 2024-08-03 01:00
VLAI
Title
OS Command Injection in jgraph/drawio
Summary
OS Command Injection in GitHub repository jgraph/drawio prior to 20.3.0.
Severity
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://huntr.dev/bounties/2d93052f-efc6-4647-9a6… | x_refsource_CONFIRM |
| https://github.com/jgraph/drawio/commit/8f3f95a05… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| jgraph | jgraph/drawio |
Affected:
unspecified , < 20.3.0
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:00:10.491Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/2d93052f-efc6-4647-9a6d-8b08dc251223"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/jgraph/drawio/commit/8f3f95a05b701175b639ba9572dc4e0fb7c46b02"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "jgraph/drawio",
"vendor": "jgraph",
"versions": [
{
"lessThan": "20.3.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OS Command Injection in GitHub repository jgraph/drawio prior to 20.3.0."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-09T17:55:09.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/2d93052f-efc6-4647-9a6d-8b08dc251223"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jgraph/drawio/commit/8f3f95a05b701175b639ba9572dc4e0fb7c46b02"
}
],
"source": {
"advisory": "2d93052f-efc6-4647-9a6d-8b08dc251223",
"discovery": "EXTERNAL"
},
"title": "OS Command Injection in jgraph/drawio",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-3133",
"STATE": "PUBLIC",
"TITLE": "OS Command Injection in jgraph/drawio"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "jgraph/drawio",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "20.3.0"
}
]
}
}
]
},
"vendor_name": "jgraph"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "OS Command Injection in GitHub repository jgraph/drawio prior to 20.3.0."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-78 Improper Neutralization of Special Elements used in an OS Command"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/2d93052f-efc6-4647-9a6d-8b08dc251223",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/2d93052f-efc6-4647-9a6d-8b08dc251223"
},
{
"name": "https://github.com/jgraph/drawio/commit/8f3f95a05b701175b639ba9572dc4e0fb7c46b02",
"refsource": "MISC",
"url": "https://github.com/jgraph/drawio/commit/8f3f95a05b701175b639ba9572dc4e0fb7c46b02"
}
]
},
"source": {
"advisory": "2d93052f-efc6-4647-9a6d-8b08dc251223",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-3133",
"datePublished": "2022-09-09T17:55:09.000Z",
"dateReserved": "2022-09-05T00:00:00.000Z",
"dateUpdated": "2024-08-03T01:00:10.491Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-3148 (GCVE-0-2022-3148)
Vulnerability from nvd – Published: 2022-09-08 09:25 – Updated: 2024-08-03 01:00
VLAI
Title
Cross-site Scripting (XSS) - Generic in jgraph/drawio
Summary
Cross-site Scripting (XSS) - Generic in GitHub repository jgraph/drawio prior to 20.3.0.
Severity
5.3 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://huntr.dev/bounties/1f730015-b4d0-4f84-8ca… | x_refsource_CONFIRM |
| https://github.com/jgraph/drawio/commit/b5dfeb238… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| jgraph | jgraph/drawio |
Affected:
unspecified , < 20.3.0
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:00:10.577Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/1f730015-b4d0-4f84-8cac-9cf1e57a091a"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/jgraph/drawio/commit/b5dfeb238369d664fb06a95e2179236b0e75f366"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "jgraph/drawio",
"vendor": "jgraph",
"versions": [
{
"lessThan": "20.3.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site Scripting (XSS) - Generic in GitHub repository jgraph/drawio prior to 20.3.0."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-08T09:25:09.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/1f730015-b4d0-4f84-8cac-9cf1e57a091a"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jgraph/drawio/commit/b5dfeb238369d664fb06a95e2179236b0e75f366"
}
],
"source": {
"advisory": "1f730015-b4d0-4f84-8cac-9cf1e57a091a",
"discovery": "EXTERNAL"
},
"title": "Cross-site Scripting (XSS) - Generic in jgraph/drawio",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-3148",
"STATE": "PUBLIC",
"TITLE": "Cross-site Scripting (XSS) - Generic in jgraph/drawio"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "jgraph/drawio",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "20.3.0"
}
]
}
}
]
},
"vendor_name": "jgraph"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site Scripting (XSS) - Generic in GitHub repository jgraph/drawio prior to 20.3.0."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/1f730015-b4d0-4f84-8cac-9cf1e57a091a",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/1f730015-b4d0-4f84-8cac-9cf1e57a091a"
},
{
"name": "https://github.com/jgraph/drawio/commit/b5dfeb238369d664fb06a95e2179236b0e75f366",
"refsource": "MISC",
"url": "https://github.com/jgraph/drawio/commit/b5dfeb238369d664fb06a95e2179236b0e75f366"
}
]
},
"source": {
"advisory": "1f730015-b4d0-4f84-8cac-9cf1e57a091a",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-3148",
"datePublished": "2022-09-08T09:25:09.000Z",
"dateReserved": "2022-09-07T00:00:00.000Z",
"dateUpdated": "2024-08-03T01:00:10.577Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-3138 (GCVE-0-2022-3138)
Vulnerability from nvd – Published: 2022-09-08 09:30 – Updated: 2024-08-03 01:00
VLAI
Title
Cross-site Scripting (XSS) - Generic in jgraph/drawio
Summary
Cross-site Scripting (XSS) - Generic in GitHub repository jgraph/drawio prior to 20.3.0.
Severity
4.3 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/jgraph/drawio/commit/b5dfeb238… | x_refsource_MISC |
| https://huntr.dev/bounties/1816a207-6abf-408c-b19… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| jgraph | jgraph/drawio |
Affected:
unspecified , < 20.3.0
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:00:10.521Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/jgraph/drawio/commit/b5dfeb238369d664fb06a95e2179236b0e75f366"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/1816a207-6abf-408c-b19a-e497e24172b3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "jgraph/drawio",
"vendor": "jgraph",
"versions": [
{
"lessThan": "20.3.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site Scripting (XSS) - Generic in GitHub repository jgraph/drawio prior to 20.3.0."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-08T09:30:13.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jgraph/drawio/commit/b5dfeb238369d664fb06a95e2179236b0e75f366"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/1816a207-6abf-408c-b19a-e497e24172b3"
}
],
"source": {
"advisory": "1816a207-6abf-408c-b19a-e497e24172b3",
"discovery": "EXTERNAL"
},
"title": "Cross-site Scripting (XSS) - Generic in jgraph/drawio",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-3138",
"STATE": "PUBLIC",
"TITLE": "Cross-site Scripting (XSS) - Generic in jgraph/drawio"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "jgraph/drawio",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "20.3.0"
}
]
}
}
]
},
"vendor_name": "jgraph"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site Scripting (XSS) - Generic in GitHub repository jgraph/drawio prior to 20.3.0."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/jgraph/drawio/commit/b5dfeb238369d664fb06a95e2179236b0e75f366",
"refsource": "MISC",
"url": "https://github.com/jgraph/drawio/commit/b5dfeb238369d664fb06a95e2179236b0e75f366"
},
{
"name": "https://huntr.dev/bounties/1816a207-6abf-408c-b19a-e497e24172b3",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/1816a207-6abf-408c-b19a-e497e24172b3"
}
]
},
"source": {
"advisory": "1816a207-6abf-408c-b19a-e497e24172b3",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-3138",
"datePublished": "2022-09-08T09:30:14.000Z",
"dateReserved": "2022-09-06T00:00:00.000Z",
"dateUpdated": "2024-08-03T01:00:10.521Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-3127 (GCVE-0-2022-3127)
Vulnerability from nvd – Published: 2022-09-05 12:50 – Updated: 2024-08-03 01:00
VLAI
Title
Cross-site Scripting (XSS) - Stored in jgraph/drawio
Summary
Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 20.2.8.
Severity
5.5 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/jgraph/drawio/commit/59887e45b… | x_refsource_MISC |
| https://huntr.dev/bounties/6cea89d1-39dc-4023-82f… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| jgraph | jgraph/drawio |
Affected:
unspecified , < 20.2.8
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:00:10.534Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/jgraph/drawio/commit/59887e45b36f06c8dd4919a32bacd994d9f084da"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/6cea89d1-39dc-4023-82fa-821f566b841a"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "jgraph/drawio",
"vendor": "jgraph",
"versions": [
{
"lessThan": "20.2.8",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 20.2.8."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-05T12:50:09.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jgraph/drawio/commit/59887e45b36f06c8dd4919a32bacd994d9f084da"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/6cea89d1-39dc-4023-82fa-821f566b841a"
}
],
"source": {
"advisory": "6cea89d1-39dc-4023-82fa-821f566b841a",
"discovery": "EXTERNAL"
},
"title": "Cross-site Scripting (XSS) - Stored in jgraph/drawio",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-3127",
"STATE": "PUBLIC",
"TITLE": "Cross-site Scripting (XSS) - Stored in jgraph/drawio"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "jgraph/drawio",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "20.2.8"
}
]
}
}
]
},
"vendor_name": "jgraph"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 20.2.8."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/jgraph/drawio/commit/59887e45b36f06c8dd4919a32bacd994d9f084da",
"refsource": "MISC",
"url": "https://github.com/jgraph/drawio/commit/59887e45b36f06c8dd4919a32bacd994d9f084da"
},
{
"name": "https://huntr.dev/bounties/6cea89d1-39dc-4023-82fa-821f566b841a",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/6cea89d1-39dc-4023-82fa-821f566b841a"
}
]
},
"source": {
"advisory": "6cea89d1-39dc-4023-82fa-821f566b841a",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-3127",
"datePublished": "2022-09-05T12:50:09.000Z",
"dateReserved": "2022-09-05T00:00:00.000Z",
"dateUpdated": "2024-08-03T01:00:10.534Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-3065 (GCVE-0-2022-3065)
Vulnerability from nvd – Published: 2022-09-02 18:15 – Updated: 2024-08-03 01:00
VLAI
Title
Improper Access Control in jgraph/drawio
Summary
Improper Access Control in GitHub repository jgraph/drawio prior to 20.2.8.
Severity
5.3 (Medium)
CWE
- CWE-284 - Improper Access Control
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://huntr.dev/bounties/5f3bc4b6-1d53-46b7-a23… | x_refsource_CONFIRM |
| https://github.com/jgraph/drawio/commit/59887e45b… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| jgraph | jgraph/drawio |
Affected:
unspecified , < 20.2.8
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:00:10.156Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/5f3bc4b6-1d53-46b7-a23d-70f5faaf0c76"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/jgraph/drawio/commit/59887e45b36f06c8dd4919a32bacd994d9f084da"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "jgraph/drawio",
"vendor": "jgraph",
"versions": [
{
"lessThan": "20.2.8",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper Access Control in GitHub repository jgraph/drawio prior to 20.2.8."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-02T18:15:12.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/5f3bc4b6-1d53-46b7-a23d-70f5faaf0c76"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jgraph/drawio/commit/59887e45b36f06c8dd4919a32bacd994d9f084da"
}
],
"source": {
"advisory": "5f3bc4b6-1d53-46b7-a23d-70f5faaf0c76",
"discovery": "EXTERNAL"
},
"title": "Improper Access Control in jgraph/drawio",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-3065",
"STATE": "PUBLIC",
"TITLE": "Improper Access Control in jgraph/drawio"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "jgraph/drawio",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "20.2.8"
}
]
}
}
]
},
"vendor_name": "jgraph"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Improper Access Control in GitHub repository jgraph/drawio prior to 20.2.8."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-284 Improper Access Control"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/5f3bc4b6-1d53-46b7-a23d-70f5faaf0c76",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/5f3bc4b6-1d53-46b7-a23d-70f5faaf0c76"
},
{
"name": "https://github.com/jgraph/drawio/commit/59887e45b36f06c8dd4919a32bacd994d9f084da",
"refsource": "MISC",
"url": "https://github.com/jgraph/drawio/commit/59887e45b36f06c8dd4919a32bacd994d9f084da"
}
]
},
"source": {
"advisory": "5f3bc4b6-1d53-46b7-a23d-70f5faaf0c76",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-3065",
"datePublished": "2022-09-02T18:15:12.000Z",
"dateReserved": "2022-08-30T00:00:00.000Z",
"dateUpdated": "2024-08-03T01:00:10.156Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-2015 (GCVE-0-2022-2015)
Vulnerability from nvd – Published: 2022-06-08 08:30 – Updated: 2024-08-03 00:24
VLAI
Title
Cross-site Scripting (XSS) - Stored in jgraph/drawio
Summary
Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 19.0.2.
Severity
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/jgraph/drawio/commit/3d3f819d7… | x_refsource_MISC |
| https://huntr.dev/bounties/0d32f448-155c-4b71-929… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| jgraph | jgraph/drawio |
Affected:
unspecified , < 19.0.2
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:24:43.934Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/jgraph/drawio/commit/3d3f819d7a04da7d53b37cc0ca4269c157ba2825"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/0d32f448-155c-4b71-9291-9e8bcd522b37"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "jgraph/drawio",
"vendor": "jgraph",
"versions": [
{
"lessThan": "19.0.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 19.0.2."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-08T08:30:14.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jgraph/drawio/commit/3d3f819d7a04da7d53b37cc0ca4269c157ba2825"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/0d32f448-155c-4b71-9291-9e8bcd522b37"
}
],
"source": {
"advisory": "0d32f448-155c-4b71-9291-9e8bcd522b37",
"discovery": "EXTERNAL"
},
"title": "Cross-site Scripting (XSS) - Stored in jgraph/drawio",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-2015",
"STATE": "PUBLIC",
"TITLE": "Cross-site Scripting (XSS) - Stored in jgraph/drawio"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "jgraph/drawio",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "19.0.2"
}
]
}
}
]
},
"vendor_name": "jgraph"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 19.0.2."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/jgraph/drawio/commit/3d3f819d7a04da7d53b37cc0ca4269c157ba2825",
"refsource": "MISC",
"url": "https://github.com/jgraph/drawio/commit/3d3f819d7a04da7d53b37cc0ca4269c157ba2825"
},
{
"name": "https://huntr.dev/bounties/0d32f448-155c-4b71-9291-9e8bcd522b37",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/0d32f448-155c-4b71-9291-9e8bcd522b37"
}
]
},
"source": {
"advisory": "0d32f448-155c-4b71-9291-9e8bcd522b37",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-2015",
"datePublished": "2022-06-08T08:30:14.000Z",
"dateReserved": "2022-06-07T00:00:00.000Z",
"dateUpdated": "2024-08-03T00:24:43.934Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-2014 (GCVE-0-2022-2014)
Vulnerability from nvd – Published: 2022-06-08 07:25 – Updated: 2024-08-03 00:24
VLAI
Title
Code Injection in jgraph/drawio
Summary
Code Injection in GitHub repository jgraph/drawio prior to 19.0.2.
Severity
9.6 (Critical)
CWE
- CWE-94 - Improper Control of Generation of Code
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://huntr.dev/bounties/911a4ada-7fd6-467a-a46… | x_refsource_CONFIRM |
| https://github.com/jgraph/drawio/commit/3d3f819d7… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| jgraph | jgraph/drawio |
Affected:
unspecified , < 19.0.2
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:24:44.057Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/911a4ada-7fd6-467a-a464-b88604b16ffc"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/jgraph/drawio/commit/3d3f819d7a04da7d53b37cc0ca4269c157ba2825"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "jgraph/drawio",
"vendor": "jgraph",
"versions": [
{
"lessThan": "19.0.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Code Injection in GitHub repository jgraph/drawio prior to 19.0.2."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-08T07:25:11.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/911a4ada-7fd6-467a-a464-b88604b16ffc"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jgraph/drawio/commit/3d3f819d7a04da7d53b37cc0ca4269c157ba2825"
}
],
"source": {
"advisory": "911a4ada-7fd6-467a-a464-b88604b16ffc",
"discovery": "EXTERNAL"
},
"title": "Code Injection in jgraph/drawio",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-2014",
"STATE": "PUBLIC",
"TITLE": "Code Injection in jgraph/drawio"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "jgraph/drawio",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "19.0.2"
}
]
}
}
]
},
"vendor_name": "jgraph"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Code Injection in GitHub repository jgraph/drawio prior to 19.0.2."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-94 Improper Control of Generation of Code"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/911a4ada-7fd6-467a-a464-b88604b16ffc",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/911a4ada-7fd6-467a-a464-b88604b16ffc"
},
{
"name": "https://github.com/jgraph/drawio/commit/3d3f819d7a04da7d53b37cc0ca4269c157ba2825",
"refsource": "MISC",
"url": "https://github.com/jgraph/drawio/commit/3d3f819d7a04da7d53b37cc0ca4269c157ba2825"
}
]
},
"source": {
"advisory": "911a4ada-7fd6-467a-a464-b88604b16ffc",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-2014",
"datePublished": "2022-06-08T07:25:11.000Z",
"dateReserved": "2022-06-07T00:00:00.000Z",
"dateUpdated": "2024-08-03T00:24:44.057Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-1815 (GCVE-0-2022-1815)
Vulnerability from nvd – Published: 2022-05-25 08:15 – Updated: 2024-08-03 00:16
VLAI
Title
Exposure of Sensitive Information to an Unauthorized Actor in jgraph/drawio
Summary
Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository jgraph/drawio prior to 18.1.2.
Severity
5.3 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://huntr.dev/bounties/6e856a25-9117-47c6-937… | x_refsource_CONFIRM |
| https://github.com/jgraph/drawio/commit/c287bef91… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| jgraph | jgraph/drawio |
Affected:
unspecified , < 18.1.2
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:16:59.916Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/6e856a25-9117-47c6-9375-52f78876902f"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/jgraph/drawio/commit/c287bef9101d024b1fd59d55ecd530f25000f9d8"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "jgraph/drawio",
"vendor": "jgraph",
"versions": [
{
"lessThan": "18.1.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository jgraph/drawio prior to 18.1.2."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-25T08:15:15.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/6e856a25-9117-47c6-9375-52f78876902f"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jgraph/drawio/commit/c287bef9101d024b1fd59d55ecd530f25000f9d8"
}
],
"source": {
"advisory": "6e856a25-9117-47c6-9375-52f78876902f",
"discovery": "EXTERNAL"
},
"title": "Exposure of Sensitive Information to an Unauthorized Actor in jgraph/drawio",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-1815",
"STATE": "PUBLIC",
"TITLE": "Exposure of Sensitive Information to an Unauthorized Actor in jgraph/drawio"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "jgraph/drawio",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "18.1.2"
}
]
}
}
]
},
"vendor_name": "jgraph"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository jgraph/drawio prior to 18.1.2."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/6e856a25-9117-47c6-9375-52f78876902f",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/6e856a25-9117-47c6-9375-52f78876902f"
},
{
"name": "https://github.com/jgraph/drawio/commit/c287bef9101d024b1fd59d55ecd530f25000f9d8",
"refsource": "MISC",
"url": "https://github.com/jgraph/drawio/commit/c287bef9101d024b1fd59d55ecd530f25000f9d8"
}
]
},
"source": {
"advisory": "6e856a25-9117-47c6-9375-52f78876902f",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-1815",
"datePublished": "2022-05-25T08:15:15.000Z",
"dateReserved": "2022-05-23T00:00:00.000Z",
"dateUpdated": "2024-08-03T00:16:59.916Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-3975 (GCVE-0-2023-3975)
Vulnerability from cvelistv5 – Published: 2023-07-27 14:34 – Updated: 2024-10-15 15:32
VLAI
Title
OS Command Injection in jgraph/drawio
Summary
OS Command Injection in GitHub repository jgraph/drawio prior to 21.5.0.
Severity
8.3 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| jgraph | jgraph/drawio |
Affected:
unspecified , < 21.5.0
(custom)
|
|
| jgraph | drawio |
Affected:
0 , < 21.5.0
(custom)
cpe:2.3:a:jgraph:drawio:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:08:50.850Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.dev/bounties/4da96d20-78ac-462e-910c-a14db9062161"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/jgraph/drawio/commit/8ec95cb03e0a80cf908a282522ac1651306db340"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:jgraph:drawio:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "drawio",
"vendor": "jgraph",
"versions": [
{
"lessThan": "21.5.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-3975",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-15T15:03:26.147244Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-15T15:32:40.165Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "jgraph/drawio",
"vendor": "jgraph",
"versions": [
{
"lessThan": "21.5.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OS Command Injection in GitHub repository jgraph/drawio prior to 21.5.0."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-27T14:34:10.847Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"url": "https://huntr.dev/bounties/4da96d20-78ac-462e-910c-a14db9062161"
},
{
"url": "https://github.com/jgraph/drawio/commit/8ec95cb03e0a80cf908a282522ac1651306db340"
}
],
"source": {
"advisory": "4da96d20-78ac-462e-910c-a14db9062161",
"discovery": "EXTERNAL"
},
"title": "OS Command Injection in jgraph/drawio"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2023-3975",
"datePublished": "2023-07-27T14:34:10.847Z",
"dateReserved": "2023-07-27T14:34:05.900Z",
"dateUpdated": "2024-10-15T15:32:40.165Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-3974 (GCVE-0-2023-3974)
Vulnerability from cvelistv5 – Published: 2023-07-27 14:33 – Updated: 2024-10-15 15:36
VLAI
Title
OS Command Injection in jgraph/drawio
Summary
OS Command Injection in GitHub repository jgraph/drawio prior to 21.4.0.
Severity
9.6 (Critical)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| jgraph | jgraph/drawio |
Affected:
unspecified , < 21.4.0
(custom)
|
|
| jgraph | drawio |
Affected:
0 , < 21.4.0
(custom)
cpe:2.3:a:jgraph:drawio:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:08:50.876Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.dev/bounties/ce75aa04-e4d6-4e0a-9db0-ae84c46ae9e2"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/jgraph/drawio/commit/9d6532de36496e77d872d91b1947bb696607d623"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:jgraph:drawio:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "drawio",
"vendor": "jgraph",
"versions": [
{
"lessThan": "21.4.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-3974",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-15T15:03:43.684638Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-15T15:36:08.407Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "jgraph/drawio",
"vendor": "jgraph",
"versions": [
{
"lessThan": "21.4.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OS Command Injection in GitHub repository jgraph/drawio prior to 21.4.0."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-27T14:33:31.671Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"url": "https://huntr.dev/bounties/ce75aa04-e4d6-4e0a-9db0-ae84c46ae9e2"
},
{
"url": "https://github.com/jgraph/drawio/commit/9d6532de36496e77d872d91b1947bb696607d623"
}
],
"source": {
"advisory": "ce75aa04-e4d6-4e0a-9db0-ae84c46ae9e2",
"discovery": "EXTERNAL"
},
"title": "OS Command Injection in jgraph/drawio"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2023-3974",
"datePublished": "2023-07-27T14:33:31.671Z",
"dateReserved": "2023-07-27T14:33:26.406Z",
"dateUpdated": "2024-10-15T15:36:08.407Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-3973 (GCVE-0-2023-3973)
Vulnerability from cvelistv5 – Published: 2023-07-27 14:33 – Updated: 2024-10-15 15:36
VLAI
Title
Cross-site Scripting (XSS) - Reflected in jgraph/drawio
Summary
Cross-site Scripting (XSS) - Reflected in GitHub repository jgraph/drawio prior to 21.6.3.
Severity
9.6 (Critical)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| jgraph | jgraph/drawio |
Affected:
unspecified , < 21.6.3
(custom)
|
|
| jgraph | drawio |
Affected:
0 , < 21.6.3
(custom)
cpe:2.3:a:jgraph:drawio:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:08:50.699Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.dev/bounties/4c1c5db5-210f-4d7e-8380-b95f88fdb78d"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/jgraph/drawio/commit/1db2c2c653aa245d175d30c210239e3946bfcb95"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:jgraph:drawio:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "drawio",
"vendor": "jgraph",
"versions": [
{
"lessThan": "21.6.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-3973",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-15T15:04:11.770958Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-15T15:36:46.194Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "jgraph/drawio",
"vendor": "jgraph",
"versions": [
{
"lessThan": "21.6.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site Scripting (XSS) - Reflected in GitHub repository jgraph/drawio prior to 21.6.3."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-27T14:33:11.271Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"url": "https://huntr.dev/bounties/4c1c5db5-210f-4d7e-8380-b95f88fdb78d"
},
{
"url": "https://github.com/jgraph/drawio/commit/1db2c2c653aa245d175d30c210239e3946bfcb95"
}
],
"source": {
"advisory": "4c1c5db5-210f-4d7e-8380-b95f88fdb78d",
"discovery": "EXTERNAL"
},
"title": "Cross-site Scripting (XSS) - Reflected in jgraph/drawio"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2023-3973",
"datePublished": "2023-07-27T14:33:11.271Z",
"dateReserved": "2023-07-27T14:32:56.314Z",
"dateUpdated": "2024-10-15T15:36:46.194Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-3398 (GCVE-0-2023-3398)
Vulnerability from cvelistv5 – Published: 2023-06-26 10:05 – Updated: 2024-12-03 18:47
VLAI
Title
Denial of Service in jgraph/drawio
Summary
Denial of Service in GitHub repository jgraph/drawio prior to 18.1.3.
Severity
5.3 (Medium)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| jgraph | jgraph/drawio |
Affected:
unspecified , < 18.1.3
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:55:03.225Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.dev/bounties/aa087215-80e1-433d-b870-650705630e69"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/jgraph/drawio/commit/064729fec4262f9373d9fdcafda0be47cd18dd50"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-3398",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-03T18:44:34.481992Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-03T18:47:29.317Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "jgraph/drawio",
"vendor": "jgraph",
"versions": [
{
"lessThan": "18.1.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Denial of Service in GitHub repository jgraph/drawio prior to 18.1.3."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-26T10:05:09.278Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"url": "https://huntr.dev/bounties/aa087215-80e1-433d-b870-650705630e69"
},
{
"url": "https://github.com/jgraph/drawio/commit/064729fec4262f9373d9fdcafda0be47cd18dd50"
}
],
"source": {
"advisory": "aa087215-80e1-433d-b870-650705630e69",
"discovery": "EXTERNAL"
},
"title": "Denial of Service in jgraph/drawio"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2023-3398",
"datePublished": "2023-06-26T10:05:09.278Z",
"dateReserved": "2023-06-26T10:04:56.783Z",
"dateUpdated": "2024-12-03T18:47:29.317Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-3026 (GCVE-0-2023-3026)
Vulnerability from cvelistv5 – Published: 2023-06-01 00:00 – Updated: 2025-01-10 18:55
VLAI
Title
Cross-site Scripting (XSS) - Stored in jgraph/drawio
Summary
Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 21.2.8.
Severity
6.5 (Medium)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| jgraph | jgraph/drawio |
Affected:
unspecified , < 21.2.8
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:41:04.335Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.dev/bounties/9bbcc127-1e69-4c88-b318-d2afef48eff0"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/jgraph/drawio/commit/c7ac634055c3edfabc7729fc4298a5ab7bfbf384"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-3026",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-10T18:55:51.968547Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-10T18:55:55.645Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://huntr.com/bounties/9bbcc127-1e69-4c88-b318-d2afef48eff0"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "jgraph/drawio",
"vendor": "jgraph",
"versions": [
{
"lessThan": "21.2.8",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 21.2.8."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-01T00:00:00.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"url": "https://huntr.dev/bounties/9bbcc127-1e69-4c88-b318-d2afef48eff0"
},
{
"url": "https://github.com/jgraph/drawio/commit/c7ac634055c3edfabc7729fc4298a5ab7bfbf384"
}
],
"source": {
"advisory": "9bbcc127-1e69-4c88-b318-d2afef48eff0",
"discovery": "EXTERNAL"
},
"title": "Cross-site Scripting (XSS) - Stored in jgraph/drawio"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2023-3026",
"datePublished": "2023-06-01T00:00:00.000Z",
"dateReserved": "2023-06-01T00:00:00.000Z",
"dateUpdated": "2025-01-10T18:55:55.645Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-3873 (GCVE-0-2022-3873)
Vulnerability from cvelistv5 – Published: 2022-11-07 00:00 – Updated: 2025-05-01 17:59
VLAI
Title
Cross-site Scripting (XSS) - DOM in jgraph/drawio
Summary
Cross-site Scripting (XSS) - DOM in GitHub repository jgraph/drawio prior to 20.5.2.
Severity
6.5 (Medium)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| jgraph | jgraph/drawio |
Affected:
unspecified , < 20.5.2
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:20:58.575Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.dev/bounties/52a4085e-b687-489b-9ed6-f0987583ed77"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/jgraph/drawio/commit/d37894baf125430e85840c2635563b10d1a6523d"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-3873",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-01T17:55:24.006232Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-01T17:59:19.909Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "jgraph/drawio",
"vendor": "jgraph",
"versions": [
{
"lessThan": "20.5.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site Scripting (XSS) - DOM in GitHub repository jgraph/drawio prior to 20.5.2."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-07T00:00:00.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"url": "https://huntr.dev/bounties/52a4085e-b687-489b-9ed6-f0987583ed77"
},
{
"url": "https://github.com/jgraph/drawio/commit/d37894baf125430e85840c2635563b10d1a6523d"
}
],
"source": {
"advisory": "52a4085e-b687-489b-9ed6-f0987583ed77",
"discovery": "EXTERNAL"
},
"title": "Cross-site Scripting (XSS) - DOM in jgraph/drawio"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-3873",
"datePublished": "2022-11-07T00:00:00.000Z",
"dateReserved": "2022-11-07T00:00:00.000Z",
"dateUpdated": "2025-05-01T17:59:19.909Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-3223 (GCVE-0-2022-3223)
Vulnerability from cvelistv5 – Published: 2022-09-16 10:50 – Updated: 2024-08-03 01:00
VLAI
Title
Cross-site Scripting (XSS) - Stored in jgraph/drawio
Summary
Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 20.3.1.
Severity
4.3 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://huntr.dev/bounties/125791b6-3a68-4235-886… | x_refsource_CONFIRM |
| https://github.com/jgraph/drawio/commit/ea012baba… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| jgraph | jgraph/drawio |
Affected:
unspecified , < 20.3.1
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:00:10.759Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/125791b6-3a68-4235-8866-6bc3a52332ba"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/jgraph/drawio/commit/ea012baba6fb2e903797fa6306833ca4f31ab361"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "jgraph/drawio",
"vendor": "jgraph",
"versions": [
{
"lessThan": "20.3.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 20.3.1."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-16T10:50:12.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/125791b6-3a68-4235-8866-6bc3a52332ba"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jgraph/drawio/commit/ea012baba6fb2e903797fa6306833ca4f31ab361"
}
],
"source": {
"advisory": "125791b6-3a68-4235-8866-6bc3a52332ba",
"discovery": "EXTERNAL"
},
"title": "Cross-site Scripting (XSS) - Stored in jgraph/drawio",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-3223",
"STATE": "PUBLIC",
"TITLE": "Cross-site Scripting (XSS) - Stored in jgraph/drawio"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "jgraph/drawio",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "20.3.1"
}
]
}
}
]
},
"vendor_name": "jgraph"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 20.3.1."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/125791b6-3a68-4235-8866-6bc3a52332ba",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/125791b6-3a68-4235-8866-6bc3a52332ba"
},
{
"name": "https://github.com/jgraph/drawio/commit/ea012baba6fb2e903797fa6306833ca4f31ab361",
"refsource": "MISC",
"url": "https://github.com/jgraph/drawio/commit/ea012baba6fb2e903797fa6306833ca4f31ab361"
}
]
},
"source": {
"advisory": "125791b6-3a68-4235-8866-6bc3a52332ba",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-3223",
"datePublished": "2022-09-16T10:50:12.000Z",
"dateReserved": "2022-09-15T00:00:00.000Z",
"dateUpdated": "2024-08-03T01:00:10.759Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-3133 (GCVE-0-2022-3133)
Vulnerability from cvelistv5 – Published: 2022-09-09 17:55 – Updated: 2024-08-03 01:00
VLAI
Title
OS Command Injection in jgraph/drawio
Summary
OS Command Injection in GitHub repository jgraph/drawio prior to 20.3.0.
Severity
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://huntr.dev/bounties/2d93052f-efc6-4647-9a6… | x_refsource_CONFIRM |
| https://github.com/jgraph/drawio/commit/8f3f95a05… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| jgraph | jgraph/drawio |
Affected:
unspecified , < 20.3.0
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:00:10.491Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/2d93052f-efc6-4647-9a6d-8b08dc251223"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/jgraph/drawio/commit/8f3f95a05b701175b639ba9572dc4e0fb7c46b02"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "jgraph/drawio",
"vendor": "jgraph",
"versions": [
{
"lessThan": "20.3.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OS Command Injection in GitHub repository jgraph/drawio prior to 20.3.0."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-09T17:55:09.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/2d93052f-efc6-4647-9a6d-8b08dc251223"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jgraph/drawio/commit/8f3f95a05b701175b639ba9572dc4e0fb7c46b02"
}
],
"source": {
"advisory": "2d93052f-efc6-4647-9a6d-8b08dc251223",
"discovery": "EXTERNAL"
},
"title": "OS Command Injection in jgraph/drawio",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-3133",
"STATE": "PUBLIC",
"TITLE": "OS Command Injection in jgraph/drawio"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "jgraph/drawio",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "20.3.0"
}
]
}
}
]
},
"vendor_name": "jgraph"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "OS Command Injection in GitHub repository jgraph/drawio prior to 20.3.0."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-78 Improper Neutralization of Special Elements used in an OS Command"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/2d93052f-efc6-4647-9a6d-8b08dc251223",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/2d93052f-efc6-4647-9a6d-8b08dc251223"
},
{
"name": "https://github.com/jgraph/drawio/commit/8f3f95a05b701175b639ba9572dc4e0fb7c46b02",
"refsource": "MISC",
"url": "https://github.com/jgraph/drawio/commit/8f3f95a05b701175b639ba9572dc4e0fb7c46b02"
}
]
},
"source": {
"advisory": "2d93052f-efc6-4647-9a6d-8b08dc251223",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-3133",
"datePublished": "2022-09-09T17:55:09.000Z",
"dateReserved": "2022-09-05T00:00:00.000Z",
"dateUpdated": "2024-08-03T01:00:10.491Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-3138 (GCVE-0-2022-3138)
Vulnerability from cvelistv5 – Published: 2022-09-08 09:30 – Updated: 2024-08-03 01:00
VLAI
Title
Cross-site Scripting (XSS) - Generic in jgraph/drawio
Summary
Cross-site Scripting (XSS) - Generic in GitHub repository jgraph/drawio prior to 20.3.0.
Severity
4.3 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/jgraph/drawio/commit/b5dfeb238… | x_refsource_MISC |
| https://huntr.dev/bounties/1816a207-6abf-408c-b19… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| jgraph | jgraph/drawio |
Affected:
unspecified , < 20.3.0
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:00:10.521Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/jgraph/drawio/commit/b5dfeb238369d664fb06a95e2179236b0e75f366"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/1816a207-6abf-408c-b19a-e497e24172b3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "jgraph/drawio",
"vendor": "jgraph",
"versions": [
{
"lessThan": "20.3.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site Scripting (XSS) - Generic in GitHub repository jgraph/drawio prior to 20.3.0."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-08T09:30:13.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jgraph/drawio/commit/b5dfeb238369d664fb06a95e2179236b0e75f366"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/1816a207-6abf-408c-b19a-e497e24172b3"
}
],
"source": {
"advisory": "1816a207-6abf-408c-b19a-e497e24172b3",
"discovery": "EXTERNAL"
},
"title": "Cross-site Scripting (XSS) - Generic in jgraph/drawio",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-3138",
"STATE": "PUBLIC",
"TITLE": "Cross-site Scripting (XSS) - Generic in jgraph/drawio"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "jgraph/drawio",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "20.3.0"
}
]
}
}
]
},
"vendor_name": "jgraph"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site Scripting (XSS) - Generic in GitHub repository jgraph/drawio prior to 20.3.0."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/jgraph/drawio/commit/b5dfeb238369d664fb06a95e2179236b0e75f366",
"refsource": "MISC",
"url": "https://github.com/jgraph/drawio/commit/b5dfeb238369d664fb06a95e2179236b0e75f366"
},
{
"name": "https://huntr.dev/bounties/1816a207-6abf-408c-b19a-e497e24172b3",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/1816a207-6abf-408c-b19a-e497e24172b3"
}
]
},
"source": {
"advisory": "1816a207-6abf-408c-b19a-e497e24172b3",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-3138",
"datePublished": "2022-09-08T09:30:14.000Z",
"dateReserved": "2022-09-06T00:00:00.000Z",
"dateUpdated": "2024-08-03T01:00:10.521Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-3148 (GCVE-0-2022-3148)
Vulnerability from cvelistv5 – Published: 2022-09-08 09:25 – Updated: 2024-08-03 01:00
VLAI
Title
Cross-site Scripting (XSS) - Generic in jgraph/drawio
Summary
Cross-site Scripting (XSS) - Generic in GitHub repository jgraph/drawio prior to 20.3.0.
Severity
5.3 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://huntr.dev/bounties/1f730015-b4d0-4f84-8ca… | x_refsource_CONFIRM |
| https://github.com/jgraph/drawio/commit/b5dfeb238… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| jgraph | jgraph/drawio |
Affected:
unspecified , < 20.3.0
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:00:10.577Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/1f730015-b4d0-4f84-8cac-9cf1e57a091a"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/jgraph/drawio/commit/b5dfeb238369d664fb06a95e2179236b0e75f366"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "jgraph/drawio",
"vendor": "jgraph",
"versions": [
{
"lessThan": "20.3.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site Scripting (XSS) - Generic in GitHub repository jgraph/drawio prior to 20.3.0."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-08T09:25:09.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/1f730015-b4d0-4f84-8cac-9cf1e57a091a"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jgraph/drawio/commit/b5dfeb238369d664fb06a95e2179236b0e75f366"
}
],
"source": {
"advisory": "1f730015-b4d0-4f84-8cac-9cf1e57a091a",
"discovery": "EXTERNAL"
},
"title": "Cross-site Scripting (XSS) - Generic in jgraph/drawio",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-3148",
"STATE": "PUBLIC",
"TITLE": "Cross-site Scripting (XSS) - Generic in jgraph/drawio"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "jgraph/drawio",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "20.3.0"
}
]
}
}
]
},
"vendor_name": "jgraph"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site Scripting (XSS) - Generic in GitHub repository jgraph/drawio prior to 20.3.0."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/1f730015-b4d0-4f84-8cac-9cf1e57a091a",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/1f730015-b4d0-4f84-8cac-9cf1e57a091a"
},
{
"name": "https://github.com/jgraph/drawio/commit/b5dfeb238369d664fb06a95e2179236b0e75f366",
"refsource": "MISC",
"url": "https://github.com/jgraph/drawio/commit/b5dfeb238369d664fb06a95e2179236b0e75f366"
}
]
},
"source": {
"advisory": "1f730015-b4d0-4f84-8cac-9cf1e57a091a",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-3148",
"datePublished": "2022-09-08T09:25:09.000Z",
"dateReserved": "2022-09-07T00:00:00.000Z",
"dateUpdated": "2024-08-03T01:00:10.577Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-3127 (GCVE-0-2022-3127)
Vulnerability from cvelistv5 – Published: 2022-09-05 12:50 – Updated: 2024-08-03 01:00
VLAI
Title
Cross-site Scripting (XSS) - Stored in jgraph/drawio
Summary
Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 20.2.8.
Severity
5.5 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/jgraph/drawio/commit/59887e45b… | x_refsource_MISC |
| https://huntr.dev/bounties/6cea89d1-39dc-4023-82f… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| jgraph | jgraph/drawio |
Affected:
unspecified , < 20.2.8
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:00:10.534Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/jgraph/drawio/commit/59887e45b36f06c8dd4919a32bacd994d9f084da"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/6cea89d1-39dc-4023-82fa-821f566b841a"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "jgraph/drawio",
"vendor": "jgraph",
"versions": [
{
"lessThan": "20.2.8",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 20.2.8."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-05T12:50:09.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jgraph/drawio/commit/59887e45b36f06c8dd4919a32bacd994d9f084da"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/6cea89d1-39dc-4023-82fa-821f566b841a"
}
],
"source": {
"advisory": "6cea89d1-39dc-4023-82fa-821f566b841a",
"discovery": "EXTERNAL"
},
"title": "Cross-site Scripting (XSS) - Stored in jgraph/drawio",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-3127",
"STATE": "PUBLIC",
"TITLE": "Cross-site Scripting (XSS) - Stored in jgraph/drawio"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "jgraph/drawio",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "20.2.8"
}
]
}
}
]
},
"vendor_name": "jgraph"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 20.2.8."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/jgraph/drawio/commit/59887e45b36f06c8dd4919a32bacd994d9f084da",
"refsource": "MISC",
"url": "https://github.com/jgraph/drawio/commit/59887e45b36f06c8dd4919a32bacd994d9f084da"
},
{
"name": "https://huntr.dev/bounties/6cea89d1-39dc-4023-82fa-821f566b841a",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/6cea89d1-39dc-4023-82fa-821f566b841a"
}
]
},
"source": {
"advisory": "6cea89d1-39dc-4023-82fa-821f566b841a",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-3127",
"datePublished": "2022-09-05T12:50:09.000Z",
"dateReserved": "2022-09-05T00:00:00.000Z",
"dateUpdated": "2024-08-03T01:00:10.534Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-3065 (GCVE-0-2022-3065)
Vulnerability from cvelistv5 – Published: 2022-09-02 18:15 – Updated: 2024-08-03 01:00
VLAI
Title
Improper Access Control in jgraph/drawio
Summary
Improper Access Control in GitHub repository jgraph/drawio prior to 20.2.8.
Severity
5.3 (Medium)
CWE
- CWE-284 - Improper Access Control
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://huntr.dev/bounties/5f3bc4b6-1d53-46b7-a23… | x_refsource_CONFIRM |
| https://github.com/jgraph/drawio/commit/59887e45b… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| jgraph | jgraph/drawio |
Affected:
unspecified , < 20.2.8
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:00:10.156Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/5f3bc4b6-1d53-46b7-a23d-70f5faaf0c76"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/jgraph/drawio/commit/59887e45b36f06c8dd4919a32bacd994d9f084da"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "jgraph/drawio",
"vendor": "jgraph",
"versions": [
{
"lessThan": "20.2.8",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper Access Control in GitHub repository jgraph/drawio prior to 20.2.8."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-02T18:15:12.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/5f3bc4b6-1d53-46b7-a23d-70f5faaf0c76"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jgraph/drawio/commit/59887e45b36f06c8dd4919a32bacd994d9f084da"
}
],
"source": {
"advisory": "5f3bc4b6-1d53-46b7-a23d-70f5faaf0c76",
"discovery": "EXTERNAL"
},
"title": "Improper Access Control in jgraph/drawio",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-3065",
"STATE": "PUBLIC",
"TITLE": "Improper Access Control in jgraph/drawio"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "jgraph/drawio",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "20.2.8"
}
]
}
}
]
},
"vendor_name": "jgraph"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Improper Access Control in GitHub repository jgraph/drawio prior to 20.2.8."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-284 Improper Access Control"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/5f3bc4b6-1d53-46b7-a23d-70f5faaf0c76",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/5f3bc4b6-1d53-46b7-a23d-70f5faaf0c76"
},
{
"name": "https://github.com/jgraph/drawio/commit/59887e45b36f06c8dd4919a32bacd994d9f084da",
"refsource": "MISC",
"url": "https://github.com/jgraph/drawio/commit/59887e45b36f06c8dd4919a32bacd994d9f084da"
}
]
},
"source": {
"advisory": "5f3bc4b6-1d53-46b7-a23d-70f5faaf0c76",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-3065",
"datePublished": "2022-09-02T18:15:12.000Z",
"dateReserved": "2022-08-30T00:00:00.000Z",
"dateUpdated": "2024-08-03T01:00:10.156Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-2015 (GCVE-0-2022-2015)
Vulnerability from cvelistv5 – Published: 2022-06-08 08:30 – Updated: 2024-08-03 00:24
VLAI
Title
Cross-site Scripting (XSS) - Stored in jgraph/drawio
Summary
Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 19.0.2.
Severity
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/jgraph/drawio/commit/3d3f819d7… | x_refsource_MISC |
| https://huntr.dev/bounties/0d32f448-155c-4b71-929… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| jgraph | jgraph/drawio |
Affected:
unspecified , < 19.0.2
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:24:43.934Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/jgraph/drawio/commit/3d3f819d7a04da7d53b37cc0ca4269c157ba2825"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/0d32f448-155c-4b71-9291-9e8bcd522b37"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "jgraph/drawio",
"vendor": "jgraph",
"versions": [
{
"lessThan": "19.0.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 19.0.2."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-08T08:30:14.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jgraph/drawio/commit/3d3f819d7a04da7d53b37cc0ca4269c157ba2825"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/0d32f448-155c-4b71-9291-9e8bcd522b37"
}
],
"source": {
"advisory": "0d32f448-155c-4b71-9291-9e8bcd522b37",
"discovery": "EXTERNAL"
},
"title": "Cross-site Scripting (XSS) - Stored in jgraph/drawio",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-2015",
"STATE": "PUBLIC",
"TITLE": "Cross-site Scripting (XSS) - Stored in jgraph/drawio"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "jgraph/drawio",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "19.0.2"
}
]
}
}
]
},
"vendor_name": "jgraph"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 19.0.2."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/jgraph/drawio/commit/3d3f819d7a04da7d53b37cc0ca4269c157ba2825",
"refsource": "MISC",
"url": "https://github.com/jgraph/drawio/commit/3d3f819d7a04da7d53b37cc0ca4269c157ba2825"
},
{
"name": "https://huntr.dev/bounties/0d32f448-155c-4b71-9291-9e8bcd522b37",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/0d32f448-155c-4b71-9291-9e8bcd522b37"
}
]
},
"source": {
"advisory": "0d32f448-155c-4b71-9291-9e8bcd522b37",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-2015",
"datePublished": "2022-06-08T08:30:14.000Z",
"dateReserved": "2022-06-07T00:00:00.000Z",
"dateUpdated": "2024-08-03T00:24:43.934Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-2014 (GCVE-0-2022-2014)
Vulnerability from cvelistv5 – Published: 2022-06-08 07:25 – Updated: 2024-08-03 00:24
VLAI
Title
Code Injection in jgraph/drawio
Summary
Code Injection in GitHub repository jgraph/drawio prior to 19.0.2.
Severity
9.6 (Critical)
CWE
- CWE-94 - Improper Control of Generation of Code
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://huntr.dev/bounties/911a4ada-7fd6-467a-a46… | x_refsource_CONFIRM |
| https://github.com/jgraph/drawio/commit/3d3f819d7… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| jgraph | jgraph/drawio |
Affected:
unspecified , < 19.0.2
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:24:44.057Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/911a4ada-7fd6-467a-a464-b88604b16ffc"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/jgraph/drawio/commit/3d3f819d7a04da7d53b37cc0ca4269c157ba2825"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "jgraph/drawio",
"vendor": "jgraph",
"versions": [
{
"lessThan": "19.0.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Code Injection in GitHub repository jgraph/drawio prior to 19.0.2."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-08T07:25:11.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/911a4ada-7fd6-467a-a464-b88604b16ffc"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jgraph/drawio/commit/3d3f819d7a04da7d53b37cc0ca4269c157ba2825"
}
],
"source": {
"advisory": "911a4ada-7fd6-467a-a464-b88604b16ffc",
"discovery": "EXTERNAL"
},
"title": "Code Injection in jgraph/drawio",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-2014",
"STATE": "PUBLIC",
"TITLE": "Code Injection in jgraph/drawio"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "jgraph/drawio",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "19.0.2"
}
]
}
}
]
},
"vendor_name": "jgraph"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Code Injection in GitHub repository jgraph/drawio prior to 19.0.2."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-94 Improper Control of Generation of Code"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/911a4ada-7fd6-467a-a464-b88604b16ffc",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/911a4ada-7fd6-467a-a464-b88604b16ffc"
},
{
"name": "https://github.com/jgraph/drawio/commit/3d3f819d7a04da7d53b37cc0ca4269c157ba2825",
"refsource": "MISC",
"url": "https://github.com/jgraph/drawio/commit/3d3f819d7a04da7d53b37cc0ca4269c157ba2825"
}
]
},
"source": {
"advisory": "911a4ada-7fd6-467a-a464-b88604b16ffc",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-2014",
"datePublished": "2022-06-08T07:25:11.000Z",
"dateReserved": "2022-06-07T00:00:00.000Z",
"dateUpdated": "2024-08-03T00:24:44.057Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-1815 (GCVE-0-2022-1815)
Vulnerability from cvelistv5 – Published: 2022-05-25 08:15 – Updated: 2024-08-03 00:16
VLAI
Title
Exposure of Sensitive Information to an Unauthorized Actor in jgraph/drawio
Summary
Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository jgraph/drawio prior to 18.1.2.
Severity
5.3 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://huntr.dev/bounties/6e856a25-9117-47c6-937… | x_refsource_CONFIRM |
| https://github.com/jgraph/drawio/commit/c287bef91… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| jgraph | jgraph/drawio |
Affected:
unspecified , < 18.1.2
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:16:59.916Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/6e856a25-9117-47c6-9375-52f78876902f"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/jgraph/drawio/commit/c287bef9101d024b1fd59d55ecd530f25000f9d8"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "jgraph/drawio",
"vendor": "jgraph",
"versions": [
{
"lessThan": "18.1.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository jgraph/drawio prior to 18.1.2."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-25T08:15:15.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/6e856a25-9117-47c6-9375-52f78876902f"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jgraph/drawio/commit/c287bef9101d024b1fd59d55ecd530f25000f9d8"
}
],
"source": {
"advisory": "6e856a25-9117-47c6-9375-52f78876902f",
"discovery": "EXTERNAL"
},
"title": "Exposure of Sensitive Information to an Unauthorized Actor in jgraph/drawio",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-1815",
"STATE": "PUBLIC",
"TITLE": "Exposure of Sensitive Information to an Unauthorized Actor in jgraph/drawio"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "jgraph/drawio",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "18.1.2"
}
]
}
}
]
},
"vendor_name": "jgraph"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository jgraph/drawio prior to 18.1.2."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/6e856a25-9117-47c6-9375-52f78876902f",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/6e856a25-9117-47c6-9375-52f78876902f"
},
{
"name": "https://github.com/jgraph/drawio/commit/c287bef9101d024b1fd59d55ecd530f25000f9d8",
"refsource": "MISC",
"url": "https://github.com/jgraph/drawio/commit/c287bef9101d024b1fd59d55ecd530f25000f9d8"
}
]
},
"source": {
"advisory": "6e856a25-9117-47c6-9375-52f78876902f",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-1815",
"datePublished": "2022-05-25T08:15:15.000Z",
"dateReserved": "2022-05-23T00:00:00.000Z",
"dateUpdated": "2024-08-03T00:16:59.916Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}