Vulnerabilities/

Stored Cross-site Scripting (XSS) in excalidraw's web embed component

Severity:: Medium

Description

A stored XSS vulnerability in Excalidraw’s web embeddable component. This allows arbitrary JavaScript to be run in the context of the domain where the editor is hosted.

Recommendation

Update the @excalidraw/excalidraw package to the latest compatible version. Followings are version details:

Affected version(s): **>= 0.17.0, < 0.17.6 >= 0.16.0, < 0.16.4**
Patched version(s): **0.17.6 0.16.4**

References

GHSA-m64q-4jqh-f72f
CVE-2024-32472
CWE-79
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

Cross-site scripting (XSS) in the clipboard package - CVE-2024-45613
Cross-site Scripting (XSS) in serialize-javascript - CVE-2024-11831
Cross-site Scripting (XSS) - Stored in crud-file-server - CVE-2018-3726
VvvebJs Reflected Cross-Site Scripting (XSS) vulnerability - CVE-2024-29271

How to Secure your NodeJs Express Javascript Application - part 1

CSRF, XXE, and 12 Other Security Acronyms Explained

How do hackers hack websites?

Tags:: npm; @excalidraw/excalidraw

Anything's wrong? Let us know Last updated on April 18, 2024