GHSA-v7v8-gjv7-ffmr

Опубликовано: 16 авг. 2023

Источник: github

Github: Прошло ревью

CVSS3: 6.1

Описание

@excalidraw/excalidraw Cross-site Scripting vulnerability

Impact

XSS vulnerability due to improperly sanitizing URLs of links that can be attached on canvas elements. This affects users of the npm package @excalidraw/excalidraw provided it was deployed in environments where untrusted user input in drawings that are then shared with third parties is a concern. If you only hosted the editor in trusted environments, or sharing didn't take place, the impact is minimized.

Patches

Patch is available on version 0.15.3 and up (stable), or latest @excalidraw/excalidraw@next (unstable releases).

Workarounds

No workaround without upgrading unless deployed in environments without untrusted user input.

References

https://security.snyk.io/vuln/SNYK-JS-EXCALIDRAWEXCALIDRAW-5841658 https://github.com/excalidraw/excalidraw/pull/6728

Ссылки

Пакеты

Наименование

@excalidraw/excalidraw

npm

Затронутые версииВерсия исправления

< 0.15.3

0.15.3

EPSS

Процентиль: 39%

0.00173

Низкий

6.1 Medium

CVSS3

CVE ID

CVE-2023-26140

Дефекты

CWE-79

Связанные уязвимости

CVE-2023-26140

CVSS3: 6.1

nvd

больше 2 лет назад

Versions of the package @excalidraw/excalidraw from 0.0.0 are vulnerable to Cross-site Scripting (XSS) via embedded links in whiteboard objects due to improper input sanitization.

BDU:2024-02264

CVSS3: 6.1

fstec

больше 2 лет назад

Уязвимость пакета excalidraw программной платформы Node.js, связанная с отсутствием мер по очистке входных данных, позволяющая нарушителю провести атаку межсайтового скриптинга (XSS)

EPSS

Процентиль: 39%

0.00173

Низкий

6.1 Medium

CVSS3

CVE ID

CVE-2023-26140

Дефекты

CWE-79