Drawnix Cross-Site Scripting Vulnerability in Debug Logging Functionality

A cross-site scripting (XSS) vulnerability has been identified in Drawnix, an open-source whiteboard tool, affecting versions through 0.2.1. The issue arises in the debug logging feature, where user-controlled content is directly inserted into the DOM using innerHTML without proper sanitization. This vulnerability allows for arbitrary JavaScript execution within the application context, potentially exposing user data or enabling unauthorized actions. The problem can be exploited if an attacker can inject untrusted data into the debug logger, for example, through a malicious extension.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where an attacker can execute arbitrary JavaScript in the context of the application, potentially leading to the execution of malicious actions or the exposure of user data.

Reproduction

To verify the existence of this vulnerability, a payload can be injected through the browser console. Enter a command that uses the global function '__drawnix__web__console' to send untrusted data, such as an image tag with an 'onerror' event, which would trigger an alert. This demonstrates the lack of input sanitization and the potential for XSS exploitation.

Remediation

Users are advised to update to Drawnix version 0.3.0 or later, where this vulnerability has been fixed.