CVE-2022-1231

Name of the Vulnerable Software and Affected Versions plantuml versions prior to 1.2022.4

Description The issue is related to Stored XSS via Embedded SVG in the SVG Diagram Format. This can lead to stealing secrets, account hijacking, or even code execution, especially in desktop applications. Web-based applications are most affected due to the common use of SVG format in plugins for web-based projects, such as the Confluence plugin. The SVG format allows clickable links in diagrams, increasing the risk.

Recommendations For versions prior to 1.2022.4, update to version 1.2022.4 or later to resolve the issue. As a temporary workaround, consider disabling the use of Embedded SVG in the SVG Diagram Format until a patch is available. Restrict access to the diagram embedder to minimize the risk of exploitation. Avoid using the SVG format for clickable links in diagrams until the issue is resolved.