CVE-2019-13127
Description
mxGraph and draw.io Diagrams for Confluence are vulnerable to stored XSS due to improper sanitization of the diagram element background color field.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
mxGraph and draw.io Diagrams for Confluence are vulnerable to stored XSS due to improper sanitization of the diagram element background color field.
Vulnerability
Description
An improper input validation and sanitization flaw exists in mxGraph through version 4.0.0 and the draw.io Diagrams plugin for Confluence prior to version 8.3.14. The vulnerability specifically affects the color selection field when editing diagram elements in the Dialogs.js file. User-supplied color values are not properly sanitized before being rendered, allowing attackers to inject arbitrary HTML and JavaScript code into the diagram content [1][2].
Attack
Vector and Exploitation
The attack is persistent (stored) and requires the attacker to have the ability to create or edit draw.io diagrams within Confluence. The proof-of-concept involves setting a diagram element's background color to a crafted string such as " onMouseOver=alert(1) a=". When a victim views the affected diagram and hovers their mouse over the element, the injected JavaScript executes in their browser session [2]. No authentication bypass is needed beyond standard diagram editing permissions.
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript code in the context of the victim's browser and Confluence session. This can lead to actions performed under the victim's identity, such as modifying Confluence pages, accessing sensitive data, or launching further attacks against the browser [2]. The vulnerability is classified as Cross-Site Scripting (CWE-79) with a medium risk level.
Mitigation
A fix was introduced in the mxGraph repository via commit 76e8e28, which adds validation of color codes using a regex pattern to ensure only valid hexadecimal color values are accepted [4]. The draw.io Diagrams for Confluence plugin was patched in version 8.3.14 and later releases [2][3]. Users are strongly advised to update to the latest version to eliminate this vulnerability.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
mxgraphnpm | < 4.0.1 | 4.0.1 |
Affected products
2- mxGraph/draw.io Diagrams plugin for Confluencedescription
Patches
176e8e2809b62Added validation of input color codes
1 file changed · +11 −4
javascript/examples/grapheditor/www/js/Dialogs.js+11 −4 modified@@ -204,14 +204,21 @@ var ColorDialog = function(editorUi, color, apply, cancelFn) var applyBtn = mxUtils.button(mxResources.get('apply'), function() { var color = input.value; - ColorDialog.addRecentColor(color, 12); + // https://stackoverflow.com/questions/8027423/how-to-check-if-a-string-is-a-valid-hex-color-representation/8027444 + var colorValid = /(^#?[0-9A-F]{6}$)|(^#[0-9A-F]{3}$)/i.test(color); - if (color != 'none' && color.charAt(0) != '#') + if (colorValid) { - color = '#' + color; + ColorDialog.addRecentColor(color, 12); + + if (color != 'none' && color.charAt(0) != '#') + { + color = '#' + color; + } + + applyFunction(color); } - applyFunction(color); editorUi.hideDialog(); }); applyBtn.className = 'geBtn gePrimaryBtn';
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-xm59-jvxm-cp3vghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-13127ghsaADVISORY
- github.com/jgraph/mxgraph/commit/76e8e2809b622659a9c5ffdc4f19922b7a68cfa3ghsax_refsource_MISCWEB
- marketplace.atlassian.com/apps/1210933/draw-io-diagrams-for-confluence/version-historyghsax_refsource_MISCWEB
- www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2019-032.txtghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.