DrawIO for ownCloud 10 is vulnerable to Stored XSS
Summary
| CVE | CVE-2025-53831 |
|---|---|
| State | PUBLISHED |
| Assigner | GitHub_M |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-07-06 17:16:26 UTC |
| Updated | 2026-07-06 19:16:54 UTC |
| Description | DrawIO for ownCloud is an application for using DrawIO with the file storage, synchronization, and sharing application ownCloud Classic. In DrawIO for ownCloud prior to version 1.0.2, which corresponds to ownCloud 10 prior to version 10.15.3, attackers with access to the DrawIO app can leverage improper neutralization of input during web page generation to achieve stored XSS. Upgrade ownCloud 10 to version 10.15.3 or later or upgrade DrawIO for ownCloud 10 to version 1.0.2 or later to receive a patch. |
Risk And Classification
Primary CVSS: v3.1 8.2 HIGH from [email protected]
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L
Problem Types: CWE-79 | CWE-79 CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | [email protected] | Secondary | 8.2 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L |
| 3.1 | CNA | DECLARED | 8.2 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L |
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
LowUser Interaction
RequiredScope
ChangedConfidentiality
HighIntegrity
LowAvailability
LowCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Owncloud | DrawIO For OwnCloud | affected < 1.0.2 | Not specified |
| CNA | Owncloud | OwnCloud 10 | affected < 10.15.3 | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| github.com/owncloud/security-advisories/security/advisories/GHSA-r9j8-fr... | [email protected] | github.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.