Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L
Requires an authenticated app user (PR:L) and victim interaction (UI:R); stored XSS crosses into the victim's browser context (S:C) with impact bounded to session/data there, so C:L/I:L and no availability effect.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L
Lifecycle Timeline
2DescriptionCVE.org
DrawIO for ownCloud is an application for using DrawIO with the file storage, synchronization, and sharing application ownCloud Classic. In DrawIO for ownCloud prior to version 1.0.2, which corresponds to ownCloud 10 prior to version 10.15.3, attackers with access to the DrawIO app can leverage improper neutralization of input during web page generation to achieve stored XSS. Upgrade ownCloud 10 to version 10.15.3 or later or upgrade DrawIO for ownCloud 10 to version 1.0.2 or later to receive a patch.
AnalysisAI
Stored cross-site scripting in the DrawIO for ownCloud app (versions prior to 1.0.2, shipping with ownCloud 10 before 10.15.3) allows an authenticated user with access to the DrawIO app to persist a malicious payload that later executes in another user's browser session. Because the payload is stored and rendered to victims within the trusted ownCloud origin, it can hijack sessions or act on the victim's behalf. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.
Technical ContextAI
ownCloud Classic (ownCloud 10) is a self-hosted file storage, synchronization, and sharing platform; DrawIO for ownCloud is an add-on app that embeds the draw.io diagramming editor so diagrams can be created and stored alongside files. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation): user-controlled input - such as diagram content, metadata, or names rendered by the app - is written into generated HTML without adequate output encoding or sanitization, so it is interpreted as active script. The two affected products identified via CPE are cpe:2.3:a:owncloud:drawio_for_owncloud (the app itself) and cpe:2.3:a:owncloud:owncloud_10 (the host platform that bundles it), confirming the vulnerable surface is the DrawIO app as integrated into the ownCloud 10 web UI.
RemediationAI
Apply the vendor-released patch: upgrade DrawIO for ownCloud to version 1.0.2 or later, or upgrade the host ownCloud 10 platform to version 10.15.3 or later, both of which contain the fix (see advisory GHSA-r9j8-fr2h-m47q at https://github.com/owncloud/security-advisories/security/advisories/GHSA-r9j8-fr2h-m47q). If immediate patching is not possible, the most direct compensating control is to disable or unload the DrawIO app from the ownCloud app management console, which removes the vulnerable surface entirely at the cost of losing diagram-editing functionality for all users. As secondary hardening, restrict which users can access the DrawIO app to trusted accounts only, reducing the pool of potential injectors, and enforce a strict Content-Security-Policy on the ownCloud origin to constrain script execution - accepting that CSP may break some legitimate embedded-editor behavior and is not a substitute for the patch.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210435