Executive Summary

This vulnerability in draw.io (up to version 29.7.11) allows a crafted .drawio file to execute arbitrary JavaScript code when opened. It arises from a cross-site scripting (XSS) flaw in the Text Format panel's feature-detection routine, which reads raw cell labels and assigns them to a detached element's innerHTML without proper sanitization.

An attacker can embed an <img> tag with an onerror event handler in a cell label. Because browsers trigger the onerror event even on detached elements, this script executes as soon as the cell is selected, which happens automatically during file import.

This vulnerability is not related to the label sanitizer used during rendering but is due to unsafe handling in the feature detection code. It has been patched in version 29.7.12 by sanitizing the label before assignment.

Useful 0 Not Useful 0

Impact Analysis

If exploited, this vulnerability allows execution of arbitrary JavaScript within the draw.io editor's origin. This can lead to unauthorized access or modification of data within draw.io or other applications sharing the same origin.

Because the script runs automatically when a malicious file is imported, an attacker could potentially steal sensitive information, manipulate diagrams, or perform actions on behalf of the user without their consent.

The vulnerability affects self-hosted instances without strict Content-Security-Policy (CSP) settings and the static deployment at https://jgraph.github.io/drawio/. However, the public deployment at https://app.diagrams.net is not exploitable due to its CSP configuration.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by identifying if your draw.io instance or deployment is running a version prior to 29.7.12 and if it allows opening crafted .drawio files that contain malicious cell labels with embedded <img> tags having onerror event handlers.

Since the issue triggers script execution when a malicious .drawio file is opened or imported, detection involves monitoring for suspicious file imports or unexpected JavaScript execution within the draw.io editor's origin.

There are no specific commands provided in the resources to detect this vulnerability directly on your network or system.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade draw.io to version 29.7.12 or later, where the vulnerability has been patched by sanitizing cell labels before assignment.

As a workaround, you can enforce a strict Content-Security-Policy (CSP) that disallows 'unsafe-inline' scripts in the script-src directive. This blocks inline event handlers such as onerror, preventing the execution of malicious JavaScript payloads.

Avoid opening or importing untrusted or suspicious .drawio files until the update or CSP mitigation is applied.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows execution of arbitrary JavaScript within the draw.io editor's origin when a crafted file is opened, potentially enabling unauthorized access or modification of data within the application or embedded applications sharing the same origin.

Such unauthorized code execution could lead to data breaches or unauthorized data manipulation, which may impact compliance with data protection regulations like GDPR or HIPAA that require safeguarding personal and sensitive information.

However, the vulnerability is mitigated in public deployments with strict Content-Security-Policy (CSP) configurations, reducing the risk of exploitation.

Organizations using vulnerable versions without proper CSP or self-hosted instances may face increased risk of non-compliance due to potential data exposure or integrity issues caused by this vulnerability.

Useful 0 Not Useful 0