Skip to main content

DrawIO for ownCloud CVE-2025-53831

| EUVDEUVD-2025-210435 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-07-06 GitHub_M
8.2
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
8.2 HIGH
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L
vuln.today AI
5.4 MEDIUM

Requires an authenticated app user (PR:L) and victim interaction (UI:R); stored XSS crosses into the victim's browser context (S:C) with impact bounded to session/data there, so C:L/I:L and no availability effect.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Patch available
Jul 06, 2026 - 18:02 EUVD
Analysis Generated
Jul 06, 2026 - 17:10 vuln.today

DescriptionCVE.org

DrawIO for ownCloud is an application for using DrawIO with the file storage, synchronization, and sharing application ownCloud Classic. In DrawIO for ownCloud prior to version 1.0.2, which corresponds to ownCloud 10 prior to version 10.15.3, attackers with access to the DrawIO app can leverage improper neutralization of input during web page generation to achieve stored XSS. Upgrade ownCloud 10 to version 10.15.3 or later or upgrade DrawIO for ownCloud 10 to version 1.0.2 or later to receive a patch.

AnalysisAI

Stored cross-site scripting in the DrawIO for ownCloud app (versions prior to 1.0.2, shipping with ownCloud 10 before 10.15.3) allows an authenticated user with access to the DrawIO app to persist a malicious payload that later executes in another user's browser session. Because the payload is stored and rendered to victims within the trusted ownCloud origin, it can hijack sessions or act on the victim's behalf. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.

Technical ContextAI

ownCloud Classic (ownCloud 10) is a self-hosted file storage, synchronization, and sharing platform; DrawIO for ownCloud is an add-on app that embeds the draw.io diagramming editor so diagrams can be created and stored alongside files. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation): user-controlled input - such as diagram content, metadata, or names rendered by the app - is written into generated HTML without adequate output encoding or sanitization, so it is interpreted as active script. The two affected products identified via CPE are cpe:2.3:a:owncloud:drawio_for_owncloud (the app itself) and cpe:2.3:a:owncloud:owncloud_10 (the host platform that bundles it), confirming the vulnerable surface is the DrawIO app as integrated into the ownCloud 10 web UI.

RemediationAI

Apply the vendor-released patch: upgrade DrawIO for ownCloud to version 1.0.2 or later, or upgrade the host ownCloud 10 platform to version 10.15.3 or later, both of which contain the fix (see advisory GHSA-r9j8-fr2h-m47q at https://github.com/owncloud/security-advisories/security/advisories/GHSA-r9j8-fr2h-m47q). If immediate patching is not possible, the most direct compensating control is to disable or unload the DrawIO app from the ownCloud app management console, which removes the vulnerable surface entirely at the cost of losing diagram-editing functionality for all users. As secondary hardening, restrict which users can access the DrawIO app to trusted accounts only, reducing the pool of potential injectors, and enforce a strict Content-Security-Policy on the ownCloud origin to constrain script execution - accepting that CSP may break some legitimate embedded-editor behavior and is not a substitute for the patch.

Share

CVE-2025-53831 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy