CVE-2024-32472: 
JavaScript vulnerability analysis and mitigation

A stored XSS vulnerability was discovered in Excalidraw's web embeddable component, identified as CVE-2024-32472. The vulnerability affects versions >=0.16.0,<0.16.4 and >=0.17.0,<0.17.6 of the @excalidraw/excalidraw npm package. The issue was disclosed on April 17, 2024, and allows arbitrary JavaScript execution in the context of the domain where the editor is hosted (GitHub Advisory).

The vulnerability stems from two distinct vectors: First, the component rendered untrusted strings as iframe's 'srcdoc' without proper HTML injection sanitization. Second, there was improper sanitization against attribute HTML injection. When combined with the 'allow-same-origin' sandbox flag, which was necessary for several embeds, this resulted in a cross-site scripting vulnerability. The issue has been assigned a CVSS v3.1 base score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (NVD).

The vulnerability allows attackers to execute arbitrary JavaScript code in the context of the domain where the Excalidraw editor is hosted. This could potentially lead to unauthorized access to sensitive information, session hijacking, or other malicious actions within the context of the affected domain (GitHub Advisory).

The vulnerability has been patched in versions 0.17.6 and 0.16.4. The fixes include no longer rendering unsafe srcdoc content verbatim, instead strictly parsing the supplied content and constructing the srcdoc manually. Additionally, proper sanitization has been implemented, and the 'allow-same-origin' flag is now only set in cases that require it, following the principle of least privilege (GitHub Advisory).