XSS vulnerability due to improperly sanitizing URLs of links that can be attached on canvas elements. This affects users of the npm package @excalidraw/excalidraw
provided it was deployed in environments where untrusted user input in drawings that are then shared with third parties is a concern. If you only hosted the editor in trusted environments, or sharing didn't take place, the impact is minimized.
Patch is available on version 0.15.3 and up (stable), or latest @excalidraw/excalidraw@next
(unstable releases).
No workaround without upgrading unless deployed in environments without untrusted user input.
https://security.snyk.io/vuln/SNYK-JS-EXCALIDRAWEXCALIDRAW-5841658 https://github.com/excalidraw/excalidraw/pull/6728
{ "github_reviewed_at": "2023-08-16T21:00:33Z", "cwe_ids": [ "CWE-79" ], "nvd_published_at": null, "severity": "MODERATE", "github_reviewed": true }