Lucene search

K
cvelist@huntrdevCVELIST:CVE-2022-1575
HistoryMay 05, 2022 - 11:45 a.m.

CVE-2022-1575 Arbitrary Code Execution through Sanitizer Bypass in jgraph/drawio

2022-05-0511:45:12
CWE-94
@huntrdev
www.cve.org
arbitrary code execution
sanitizer bypass
github repository
stored xss
desktop app
remote code execution
web app

CVSS3

9.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L

AI Score

9.4

Confidence

High

EPSS

0.002

Percentile

57.5%

Arbitrary Code Execution through Sanitizer Bypass in GitHub repository jgraph/drawio prior to 18.0.0. - Arbitrary (remote) code execution in the desktop app. - Stored XSS in the web app.

CNA Affected

[
  {
    "product": "jgraph/drawio",
    "vendor": "jgraph",
    "versions": [
      {
        "lessThan": "18.0.0",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]

CVSS3

9.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L

AI Score

9.4

Confidence

High

EPSS

0.002

Percentile

57.5%

Related for CVELIST:CVE-2022-1575