This issue has been fixed in the current version. As a precaution, please update your code to the latest version. If you are using AngularJS or any other framework that is using jgraph/drawio in your project, you need to take this into consideration.

CVE-2018-1000083 - generic in jgraph/drawio prior to 20.3.0. You need to upgrade your code to fix this issue.

CVE-2018-1000084 - generic in jgraph/drawio prior to 20.3.0. You need to upgrade your code to fix this issue.

CVE-2018-1000085 - generic in jgraph/drawio prior to 20.3.0. You need to upgrade your code to fix this issue.

CVE-2018-1000086 - generic in jgraph/drawio prior to 20.3.0. You need to upgrade your code to fix this issue.

CVE-2018-1000087 - generic in jgraph/drawio prior to 20.3.0. You need to upgrade your code to fix this issue.

CVE-2018-1000088 - generic in jgraph/drawio prior to 20.3.0. You need to upgrade your code to fix this issue.

CVE-2018-1000089 - generic in jgraph/drawio prior to 20.3.0. You need to upgrade your code to fix this issue.

Drawio code example for AngularJS

Detecting and preventing vulnerable code with SemVer

Semantic Versioning (SemVer) is a specification that was created by the Ruby community to help people identify what changes have been made to the software with each version release. SemVer is simple and easy to understand and follow. It is used extensively by open source projects, such as Ruby on Rails, to ensure that the developers can coordinate their releases in a way that doesn't cause compatibility issues or incompatible changes.

Developers or teams of developers can easily update their code if they detect that someone has altered their project's code from a previous version. If this happens, they would update their project's code by running a command such as:

$ git checkout master && git pull origin master
This will update your project's current code to match the latest version of the project without breaking anything and without any effort on your part. However, if you notice that your team's code has been changed in an incompatible manner, you would need to go through steps like these:
1) Detecting vulnerable versions of jgraph/drawio
If you were using jgraph/drawio before v20.3, then it is most likely that some of your code has been updated from v20.2 onwards. To find out which URLs are still vulnerable after upgrading your project, run:
$ git log --oneline | grep -A 1 "jgraph-drawio" | grep -A 1rn"v\d*" | cut -d ' '

Timeline

Published on: 09/08/2022 10:15:00 UTC
Last modified on: 09/09/2022 21:09:00 UTC

References