GitHub Advisory DatabaseGHSA-V7V8-GJV7-FFMR@excalidraw/excalidraw Cross-site Scripting vulnerability
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
0.001 Low
EPSS
Percentile
20.8%
Impact
XSS vulnerability due to improperly sanitizing URLs of links that can be attached on canvas elements. This affects users of the npm package @excalidraw/excalidraw provided it was deployed in environments where untrusted user input in drawings that are then shared with third parties is a concern. If you only hosted the editor in trusted environments, or sharing didn’t take place, the impact is minimized.
Patches
Patch is available on version 0.15.3 and up (stable), or latest @excalidraw/excalidraw@next (unstable releases).
Workarounds
No workaround without upgrading unless deployed in environments without untrusted user input.
References
https://security.snyk.io/vuln/SNYK-JS-EXCALIDRAWEXCALIDRAW-5841658
https://github.com/excalidraw/excalidraw/pull/6728
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| @excalidraw/excalidraw | lt | 0.15.3 |
References
github.com/advisories/GHSA-v7v8-gjv7-ffmr
github.com/excalidraw/excalidraw/commit/b33fa6d6f64d27adc3a47b25c0aa55711740d0af
github.com/excalidraw/excalidraw/pull/6728
github.com/excalidraw/excalidraw/security/advisories/GHSA-v7v8-gjv7-ffmr
nvd.nist.gov/vuln/detail/CVE-2023-26140
security.snyk.io/vuln/SNYK-JS-EXCALIDRAWEXCALIDRAW-5841658
Related
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
0.001 Low
EPSS
Percentile
20.8%