CVE-2024-32472

描述

### Summary A stored XSS vulnerability in Excalidraw's web embeddable component. This allows arbitrary JavaScript to be run in the context of the domain where the editor is hosted. ### Poc Inserting an embed with the below url (can be copy/pasted onto canvas to insert as embed) will log `42` to the console: ``` https://gist.github.com/vv=v<script>console.log(42)</script> ``` ### Details There were two vectors. One rendering untrusted string as iframe's `srcdoc` without properly sanitizing against HTML injection. Second by improperly sanitizing against attribute HTML injection. This in conjunction with allowing `allow-same-origin` sandbox flag (necessary for several embeds) resulted in the XSS. Former was fixed by no longer rendering unsafe `srcdoc` content verbatim, and instead strictly parsing the supplied content and constructing the `srcdoc` manually. The latter by sanitizing properly. The `allow-same-origin` flag is now also set only in cases that require it, following the principle of least privilege. ### Impact This is a cross site scripting vulnerability, for more information, please see: https://portswigger.net/web-security/cross-site-scripting Two npm `@excalidraw/excalidraw` stable version releases were affected (`0.16.x`, `0.17.x`), and both are now patched.

受影響套件(1)

• npm/@excalidraw/excalidraw>= 0.16.0, < 0.16.4

CVSS 分數

參考連結(5)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-32472
• PATCHhttps://github.com/excalidraw/excalidraw
• WEBhttps://github.com/excalidraw/excalidraw/commit/6be752e1b6d776ccfbd3bb9eea17463cb264121d
• WEBhttps://github.com/excalidraw/excalidraw/commit/988f81911ca58e3ca2583e0dd44a954dd00e09d0
• WEBhttps://github.com/excalidraw/excalidraw/security/advisories/GHSA-m64q-4jqh-f72f