CVE-2025-58172
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-15

Last updated on: 2025-09-16

Assigner: GitHub, Inc.

Description
drawnix is an all in one open-source whiteboard tool. In drawnix versions through 0.2.1, a cross-site scripting (XSS) vulnerability exists in the debug logging functionality. User controlled content is inserted directly into the DOM via innerHTML without sanitization when the global function __drawnix__web__console is invoked, as shown in apps/web/src/app/app.tsx where div.innerHTML = value is executed. This can allow arbitrary JavaScript execution in the context of the application if an attacker can cause untrusted data to be passed to the debug logger (for example via a malicious extension or other injection vector), potentially exposing user data or enabling unauthorized actions. The issue is fixed in version 0.3.0. Updating to 0.3.0 or later is recommended. No known workarounds exist.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-15
Last Modified
2025-09-16
Generated
2026-05-07
AI Q&A
2025-09-15
EPSS Evaluated
2026-05-05
NVD
CVE-2025-58172
EUVD
EUVD-2025-29217
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
plait-board drawnix 0.2.1
plait-board drawnix 0.3.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a cross-site scripting (XSS) issue in drawnix versions up to 0.2.1. It occurs because user-controlled content is inserted directly into the webpage's DOM using innerHTML without any sanitization in the debug logging function. This allows an attacker to inject and execute arbitrary JavaScript code if they can pass malicious data to the debug logger, for example via a malicious browser extension or other injection methods. The vulnerability is fixed in version 0.3.0 by disabling the unsafe debug logging function. [1, 2]


How can this vulnerability impact me? :

If exploited, this vulnerability can allow an attacker to execute arbitrary JavaScript code within the context of the drawnix application. This could lead to exposure of user data or unauthorized actions being performed on behalf of the user. The attack could be triggered remotely or locally, for example through malicious browser extensions injecting data into the debug logger. However, the overall severity is considered low. [1]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

You can detect this vulnerability by attempting to invoke the vulnerable debug logging function in the drawnix application to see if it executes arbitrary JavaScript. For example, in the browser console of the drawnix web application (versions up to 0.2.1), you can run the command: window.__drawnix__web__console('<img src=x onerror=alert("XSS")>'); If an alert pops up, the vulnerability exists. Monitoring for the presence of the global function __drawnix__web__console in the window object can also indicate vulnerability. There are no network-level detection commands specified. [1]


What immediate steps should I take to mitigate this vulnerability?

The recommended immediate mitigation is to update drawnix to version 0.3.0 or later, where the vulnerable debug logging functionality has been disabled by commenting out the unsafe global function. No other workarounds are known. Disabling or restricting the use of browser extensions or other injection vectors that could pass untrusted data to the debug logger may reduce risk but is not a complete fix. [1, 2]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart