CVE-2024-32472

Name of the Vulnerable Software and Affected Versions Excalidraw versions 0.16.x through 0.17.5 Excalidraw version 0.16.3 and earlier

Description A stored XSS vulnerability in Excalidraw's web embeddable component allows arbitrary JavaScript to be run in the context of the domain where the editor is hosted. There were two vectors: one rendering untrusted string as iframe's srcdoc without properly sanitizing against HTML injection, and the other by improperly sanitizing against attribute HTML injection. This, in conjunction with allowing the allow-same-origin sandbox flag, resulted in the XSS.

Recommendations For Excalidraw versions 0.16.x through 0.17.5, update to version 0.17.6 or 0.16.4 to fix the vulnerability. For Excalidraw version 0.16.3 and earlier, update to version 0.16.4 to fix the vulnerability. As a temporary workaround, consider disabling the web embeddable component until a patch is available. Restrict access to the srcdoc attribute of iframes to minimize the risk of exploitation. Avoid using the allow-same-origin sandbox flag unless necessary, and follow the principle of least privilege.