Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS12N3Y4LWdqdjctZmZtcs4AA1WK

@excalidraw/excalidraw Cross-site Scripting vulnerability

Impact

XSS vulnerability due to improperly sanitizing URLs of links that can be attached on canvas elements. This affects users of the npm package @excalidraw/excalidraw provided it was deployed in environments where untrusted user input in drawings that are then shared with third parties is a concern. If you only hosted the editor in trusted environments, or sharing didn't take place, the impact is minimized.

Patches

Patch is available on version 0.15.3 and up (stable), or latest @excalidraw/excalidraw@next (unstable releases).

Workarounds

No workaround without upgrading unless deployed in environments without untrusted user input.

References

https://security.snyk.io/vuln/SNYK-JS-EXCALIDRAWEXCALIDRAW-5841658
https://github.com/excalidraw/excalidraw/pull/6728

Permalink: https://github.com/advisories/GHSA-v7v8-gjv7-ffmr
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS12N3Y4LWdqdjctZmZtcs4AA1WK
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 1 year ago
Updated: over 1 year ago

CVSS Score: 6.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS Percentage: 0.00063
EPSS Percentile: 0.29396

Identifiers: GHSA-v7v8-gjv7-ffmr, CVE-2023-26140
References:

• https://github.com/excalidraw/excalidraw/security/advisories/GHSA-v7v8-gjv7-ffmr
• https://nvd.nist.gov/vuln/detail/CVE-2023-26140
• https://github.com/excalidraw/excalidraw/pull/6728
• https://github.com/excalidraw/excalidraw/commit/b33fa6d6f64d27adc3a47b25c0aa55711740d0af
• https://security.snyk.io/vuln/SNYK-JS-EXCALIDRAWEXCALIDRAW-5841658
• https://github.com/advisories/GHSA-v7v8-gjv7-ffmr

Repository: https://github.com/excalidraw/excalidraw
Blast Radius: 16.6

Affected Packages