6.1

CVSS Score

3.0

Basic Information

CVE ID

CVE-2019-13127

GHSA ID

GHSA-xm59-jvxm-cp3v

EPSS Score

0.55491%

CWE

CWE-79

Published

5/24/2022

Updated

10/19/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2019-13127

CVE-2019-13127: mxGraph vulnerable to cross-site scripting in color field

mxGraph through 4.0.0, related to the draw.io Diagrams plugin before 8.3.14 for Confluence and other products, is vulnerable to cross-site scripting. draw.io Diagrams allows the creation and editing of draw.io-based diagrams in Confluence. Among other things, it allows to set the background color of text displayed in the diagram. The color provided by the user is notproperly sanitized, leading to HTML and JavaScript code to be displayed "as it is" to visitors of the page. This allows attackers to execute JavaScript code in the context of the visitor's browser and session and to e.g. run Confluence command under the visitor's user or attack the visitor's browser.

Proof of Concept (PoC):

Create a new draw.io Diagram, add an element and edit its background color and enter some text to the element
Enter the following "color": onMouseOver=alert(1) a=
Save and view the resulting diagram, moving your mouse over the text

(GitHub Advisory)

6.1

CVSS Score

3.0

Basic Information

CVE ID

CVE-2019-13127

GHSA ID

GHSA-xm59-jvxm-cp3v

EPSS Score

0.55491%

CWE

CWE-79

Published

5/24/2022

Updated

10/19/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
mxgraph	npm	<= 4.0.0	4.0.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The commit diff shows the vulnerability was in Dialogs.js where color input validation was added. The pre-patch code (lines 204-215) directly used user-provided color values without proper sanitization, allowing injection of event handlers like onMouseOver. The PoC demonstrates this by injecting JavaScript through the color field. The fix added regex validation for hex color formats, confirming the vulnerability existed in the color processing logic of this dialog handler.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

mx*r*p* t*rou** *.*.*, r*l*t** to t** [*r*w.io *i**r*ms](*ttps://*it*u*.*om/j*r*p*/*r*wio) plu*in ***or* *.*.** *or *on*lu*n** *n* ot**r pro*u*ts, is vuln*r**l* to *ross-sit* s*riptin*. *r*w.io *i**r*ms *llows t** *r**tion *n* **itin* o* *r*w.io-**s*

Reasoning

T** *ommit *i** s*ows t** vuln*r**ility w*s in `*i*lo*s.js` w**r* *olor input v*li**tion w*s *****. T** pr*-p*t** *o** (lin*s ***-***) *ir**tly us** us*r-provi*** *olor v*lu*s wit*out prop*r s*nitiz*tion, *llowin* inj**tion o* *v*nt **n*l*rs lik* `on

6.1

Basic Information

Concerned about an active attack path?

CVE-2019-13127: mxGraph vulnerable to cross-site scripting in color field

6.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI