Open davidjgraph opened 2 years ago
Versions of draw.io prior to 18.0.0 are susceptible to the stored XSS attack described at https://huntr.dev/bounties/033d3423-eb05-4b53-a747-1bfcba873127/ if they do not have an appropriate CSP to block unsafe-inline script.
I don't know if this project bundles draw.io, but if it does I would test against the test case and update to 18.0.0 is found to be susceptible.
Versions of draw.io prior to 18.0.0 are susceptible to the stored XSS attack described at https://huntr.dev/bounties/033d3423-eb05-4b53-a747-1bfcba873127/ if they do not have an appropriate CSP to block unsafe-inline script.
I don't know if this project bundles draw.io, but if it does I would test against the test case and update to 18.0.0 is found to be susceptible.