CVE-2024-32472
Stored Cross-site Scripting (XSS) in excalidraw's web embed component
Description
### Summary A stored XSS vulnerability in Excalidraw's web embeddable component. This allows arbitrary JavaScript to be run in the context of the domain where the editor is hosted. ### Poc Inserting an embed with the below url (can be copy/pasted onto canvas to insert as embed) will log `42` to the console: ``` https://gist.github.com/vv=v<script>console.log(42)</script> ``` ### Details There were two vectors. One rendering untrusted string as iframe's `srcdoc` without properly sanitizing against HTML injection. Second by improperly sanitizing against attribute HTML injection. This in conjunction with allowing `allow-same-origin` sandbox flag (necessary for several embeds) resulted in the XSS. Former was fixed by no longer rendering unsafe `srcdoc` content verbatim, and instead strictly parsing the supplied content and constructing the `srcdoc` manually. The latter by sanitizing properly. The `allow-same-origin` flag is now also set only in cases that require it, following the principle of least privilege. ### Impact This is a cross site scripting vulnerability, for more information, please see: https://portswigger.net/web-security/cross-site-scripting Two npm `@excalidraw/excalidraw` stable version releases were affected (`0.16.x`, `0.17.x`), and both are now patched.
How to fix CVE-2024-32472
To remediate CVE-2024-32472, upgrade the affected package to a fixed version below.
- —upgrade to 0.16.4 or later
Is CVE-2024-32472 being exploited?
Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 0.16.0, < 0.16.4