6.1

CVSS Score

3.0

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2019-13127

CVE-2019-13127: mxGraph vulnerable to cross-site scripting in color field

mxGraph through 4.0.0, related to the draw.io Diagrams plugin before 8.3.14 for Confluence and other products, is vulnerable to cross-site scripting. draw.io Diagrams allows the creation and editing of draw.io-based diagrams in Confluence. Among other things, it allows to set the background color of text displayed in the diagram. The color provided by the user is notproperly sanitized, leading to HTML and JavaScript code to be displayed "as it is" to visitors of the page. This allows attackers to execute JavaScript code in the context of the visitor's browser and session and to e.g. run Confluence command under the visitor's user or attack the visitor's browser.

Proof of Concept (PoC):

Create a new draw.io Diagram, add an element and edit its background color and enter some text to the element
Enter the following "color": onMouseOver=alert(1) a=
Save and view the resulting diagram, moving your mouse over the text

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2019-13127

CVE-2019-13127:

6.1

CVSS Score

3.0

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
mxgraph	npm	<= 4.0.0	4.0.1

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The commit diff shows the vulnerability was in Dialogs.js where color input validation was added. The pre-patch code (lines 204-215) directly used user-provided color values without proper sanitization, allowing injection of event handlers like onMouseOver. The PoC demonstrates this by injecting JavaScript through the color field. The fix added regex validation for hex color formats, confirming the vulnerability existed in the color processing logic of this dialog handler.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

6.1

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2019-13127: mxGraph vulnerable to cross-site scripting in color field

CVE-2019-13127:

6.1

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

CVE-2019-13127: mxGraph vulnerable to cross-site scripting in color field

Technical Details

Basic Information

Basic Information

6.1

6.1

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI