Advisory ID: SYSS-2019-032 Product: draw.io Diagrams for Confluence Manufacturer: //SEIBERT/MEDIA - Draw.io Affected Version(s): 8.3.13 for Confluence Server 6.14.3 Tested Version(s): 8.3.13 Vulnerability Type: Cross-Site Scripting (CWE-79) Risk Level: Medium Solution Status: Fixed Manufacturer Notification: 2019-06-12 Solution Date: 2019-06-12 Public Disclosure: 2019-07-01 CVE Reference: Not yet assigned Author of Advisory: Sebastian Nerz, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: draw.io Diagrams for Confluence is a plugin for the Confluence CMS system. The manufacturer describes the product as a draw.io diagramming solution for the Confluence CMS system (see [1]). Due to lack of user input sanitization, the product is vulnerable to persistent Cross-Site Scripting. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: draw.io Diagrams allows the creation and editing of draw.io-based diagrams in Confluence. Among other things, it allows to set the background color of text displayed in the diagram. The color provided by the user is not properly sanitized, leading to HTML and JavaScript code to be displayed "as it is" to visitors of the page. This allows attackers to execute JavaScript code in the context of the visitor's browser and session and to e.g. run Confluence command under the visitor's user or attack the visitor's browser. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): 1) Create a new draw.io Diagram, add an element and edit its background color and enter some text to the element (see drawio_xss_poc_1.png) 2) Enter the following "color": " onMouseOver=alert(1) a=" 3) Save and view the resulting diagram, moving your mouse over the text (see drawio_xss_poc_2.png and drawio_xss_poc_3.png) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Update to version 8.3.14 or later of the draw.io confluence plugin. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2019-06-11: Vulnerability discovered 2019-06-12: Vulnerability reported to manufacturer 2019-06-12: Manufacturer provides an updated and patched version [4] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for Elements Spreadsheet for Confluence https://marketplace.atlassian.com/apps/1210933/draw-io-diagrams-for-confluencee [2] SySS Security Advisory SYSS-2019-032 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2019-032.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/news/responsible-disclosure-policy/ [4] draw.io Diagrams for Confluence version history https://marketplace.atlassian.com/apps/1210933/draw-io-diagrams-for-confluence/version-history ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Sebastian Nerz of SySS GmbH. E-Mail: Sebastian.Nerz@syss.de Public Key: ://www.syss.de/fileadmin/dokumente/PGPKeys/Sebastian_Nerz.asc Key ID: 0xD12D26A49180FDB2 Key Fingerprint: 79DC 2CEC D18D F92F CBB4 AF09 D12D 26A4 9180 FDB2 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: https://creativecommons.org/licenses/by/3.0/deed.en