CVE-2023-3973 in drawio
Summary
by MITRE • 07/27/2023
Cross-site Scripting (XSS) - Reflected in GitHub repository jgraph/drawio prior to 21.6.3.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 05/15/2026
Cross site scripting vulnerability in the jgraph/drawio repository affects versions prior to 21.6.3 and represents a critical security flaw that allows attackers to inject malicious scripts into web applications. This vulnerability falls under the CWE-79 category of Cross Site Scripting and specifically manifests as a reflected XSS attack vector. The flaw occurs when user-supplied input is not properly sanitized before being rendered back to the browser, creating an opportunity for attackers to execute arbitrary JavaScript code within the context of a victim's browser session. The vulnerability stems from insufficient input validation and output encoding mechanisms within the application's handling of user data.
The operational impact of this reflected XSS vulnerability is significant as it enables attackers to perform various malicious activities including session hijacking, credential theft, and data exfiltration from authenticated users. Attackers can craft malicious URLs containing script payloads that, when clicked by victims, execute code in the victim's browser context. This allows for unauthorized access to user accounts, modification of web page content, and potential redirection to malicious sites. The vulnerability affects the drawio application's ability to properly sanitize user input from various parameters that are reflected back to the browser, making it particularly dangerous in environments where users can upload or input data into the system. The attack typically involves sending crafted payloads through URL parameters or form inputs that are then reflected back to the user without proper sanitization.
Security practitioners should implement comprehensive input validation and output encoding measures to address this vulnerability. The recommended mitigation involves upgrading to version 21.6.3 or later where the XSS vulnerability has been patched. Additionally, developers should employ proper content security policies, implement strict input sanitization using libraries such as DOMPurify, and ensure all user-supplied data is properly encoded before being rendered in web pages. The vulnerability aligns with ATT&CK technique T1566.001 for Initial Access through spearphishing attachments and T1059.007 for Command and Scripting Interpreter through JavaScript. Organizations should conduct thorough security testing including dynamic application security testing and manual penetration testing to identify similar vulnerabilities in their web applications. The remediation process should include implementing a robust security coding practice framework that follows OWASP Top Ten guidelines and incorporates proper input validation at multiple layers of the application architecture to prevent similar issues from occurring in future deployments.