CVE-2019-13127

Name of the Vulnerable Software and Affected Versions mxGraph versions through 4.0.0 draw.io Diagrams plugin versions before 8.3.14 for Confluence and other products

Description The issue is related to improper input validation/sanitization of a color field, leading to cross-site scripting (XSS). This allows attackers to execute JavaScript code in the context of the visitor's browser and session. The draw.io Diagrams plugin enables the creation and editing of diagrams in Confluence, including setting the background color of text displayed in the diagram. If a user-provided color is not properly sanitized, it can lead to the execution of HTML and JavaScript code, potentially allowing attackers to run Confluence commands under the visitor's user or attack the visitor's browser.

Recommendations For mxGraph versions through 4.0.0, update the draw.io Diagrams plugin to version 8.3.14 or later to resolve the issue. For draw.io Diagrams plugin versions before 8.3.14, update to version 8.3.14 or later to fix the vulnerability. As a temporary workaround, consider restricting the ability to set custom background colors in diagrams to minimize the risk of exploitation.