Drawio For Owncloud
Monthly
Stored cross-site scripting in the DrawIO for ownCloud app (versions prior to 1.0.2, shipping with ownCloud 10 before 10.15.3) allows an authenticated user with access to the DrawIO app to persist a malicious payload that later executes in another user's browser session. Because the payload is stored and rendered to victims within the trusted ownCloud origin, it can hijack sessions or act on the victim's behalf. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.
Stored cross-site scripting in the DrawIO for ownCloud app (versions prior to 1.0.2, shipping with ownCloud 10 before 10.15.3) allows an authenticated user with access to the DrawIO app to persist a malicious payload that later executes in another user's browser session. Because the payload is stored and rendered to victims within the trusted ownCloud origin, it can hijack sessions or act on the victim's behalf. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.