Description
XSS via Embedded SVG in SVG Diagram Format in GitHub repository plantuml/plantuml prior to 1.2022.4. Stored XSS in the context of the diagram embedder. Depending on the actual context, this ranges from stealing secrets to account hijacking or even to code execution for example in desktop applications. Web based applications are the ones most affected. Since the SVG format allows clickable links in diagrams, it is commonly used in plugins for web based projects (like the Confluence plugin, etc. see https://plantuml.com/de/running).
References (4)
Core 4
Core References
Exploit, Third Party Advisory x_refsource_confirm
https://huntr.dev/bounties/27db9509-6cd3-4148-8d70-5942f3837604
Patch, Third Party Advisory x_refsource_misc
https://github.com/plantuml/plantuml/commit/c9137be051ce98b3e3e27f65f54ec7d9f8886903
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FQMHXN5BVBK433C5SVSSBXWB5JLJ7NID/
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EO26WBHQRMWTS44M5VLZJIJZOIGJYL3A/
Scores
CVSS v3
6.1
EPSS
0.0024
EPSS Percentile
47.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (3)
fedoraproject/fedora
35
fedoraproject/fedora
36
plantuml/plantuml
< 1.2022.4
Published
Apr 15, 2022
Tracked Since
Feb 18, 2026