![CVE-2023-47831 - Cross-site Scripting (XSS) Vulnerability in assorted[chips] DrawIt (draw.Io) Plugin <= 1.1.3 – Exploit Details and Mitigation](/content/images/size/w1200/2024/02/CVE-2023-47831.png)
Table of contents:
Introduction
A recently identified vulnerability, CVE-2023-47831, targets versions 1.1.3 and lower of the [assorted[chips] DrawIt (draw.Io) plugin](https://assortedchips.com/plugins/drawit) used in various content management systems (CMS). The main issue is an improper neutralization of input during web page generation – in simple terms, a classic Cross-site Scripting (XSS) vulnerability.
If you use this plugin, you could be at risk. XSS bugs allow attackers to run malicious code in a user’s browser, potentially stealing information, taking over accounts, or conducting phishing attacks.
Vulnerability Details
The problem lies in how the plugin handles user inputs when generating web pages or inserting drawings. Instead of properly sanitizing input and removing potentially harmful scripts or code, the plugin lets unsafe data pass through.
Official CVE entry:
https://nvd.nist.gov/vuln/detail/CVE-2023-47831
Short Description:
> Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in assorted[chips] DrawIt (draw.Io) plugin <= 1.1.3 versions lets attackers inject malicious JavaScript via crafted input.
How the Exploit Works
When a user draws a diagram using the plugin, the drawing's metadata (such as name or description) or the diagram's internal data is not properly sanitized before being inserted in the resulting HTML/JavaScript.
Attack scenario:
1. Attacker crafts a drawing and, in the metadata or as part of the shape, injects a payload like <script>alert('XSS');</script>.
Below is a simplified PHP snippet showing the insecure logic
// BAD CODE – vulnerable to XSS:
$name = $_POST['drawing_name']; // User input not sanitized
echo "<div class='drawing-title'>$name</div>";
If someone submits <script>alert('XSS');</script> as the name, that script will RUN in the browser!
A secure version
// GOOD CODE – properly escapes input:
$name = $_POST['drawing_name'];
echo "<div class='drawing-title'>" . htmlspecialchars($name, ENT_QUOTES, 'UTF-8') . "</div>";
Go to a page where you can create a new drawing with the DrawIt plugin.
2. Set the drawing name to: <script>alert('XSS via DrawIt!');</script>
In HTML
<div class="drawing-title"><script>alert('XSS via DrawIt!');</script></div>
This script will execute for anyone loading the page, not just the attacker!
Disable the DrawIt plugin until a fix can be applied if you cannot patch quickly.
- Implement Content Security Policy (CSP) headers as defense-in-depth, but *do not* rely solely on them.
References
- CVE-2023-47831 Official NVD Entry
- [assorted[chips] DrawIt Plugin Homepage](https://assortedchips.com/plugins/drawit)
- OWASP XSS Cheat Sheet
- DrawIt (draw.Io) on GitHub (if available)
Conclusion
CVE-2023-47831 is a typical but dangerous XSS bug, allowing attackers to run code in other users' browsers using tainted data fields in the DrawIt plugin. If you use DrawIt version 1.1.3 or lower, upgrade or patch *immediately*. Don’t leave your site open to hijackers—sanitizing user input is your best friend!
Timeline
Published on: 11/22/2023 23:15:10 UTC
Last modified on: 12/02/2023 04:33:38 UTC