CVE-2022-40440

Vulnerability

Description

mxGraph v4.2.2 is affected by a cross-site scripting (XSS) vulnerability in the setTooltips() function. The root cause is that the mxTooltipHandler uses innerHTML to insert custom tooltip content without proper sanitization. When tooltips are enabled, the show() method of mxTooltipHandler directly assigns user-controlled input to innerHTML, allowing arbitrary HTML and JavaScript execution [1][2].

Exploitation

An attacker can exploit this by crafting a vertex label containing malicious payload, such as `. When a user hovers over the crafted vertex, the tooltip handler renders the label's content via innerHTML`, executing the injected script in the context of the application. No authentication is required, as the vulnerability is triggered purely by user interaction (hovering) with a crafted cell in the diagram [2].

Impact

Successful exploitation enables an attacker to execute arbitrary JavaScript in the victim's browser. This can lead to session hijacking, theft of sensitive data, or further attacks within the context of the vulnerable web application. Because mxGraph is a client-side library, the impact is limited to the user's browser session [1][2].

Mitigation

Development on mxGraph has officially stopped, and the repository is effectively end-of-life as of November 2020. No official patch is available. Users are advised to consider actively maintained forks (e.g., jsGraph/mxgraph or process-analytics/mxgraph) or migrate to alternative diagramming libraries. If continued use is unavoidable, application-level input sanitization and output encoding should be implemented for all tooltip content [3].