6.43.1
CVE-2020-36523 identifies a cross-site scripting (XSS) vulnerability within PlantUML versions 6.43 through 6.43. This flaw resides in the Database Information Macro component, enabling remote attackers to inject and execute malicious scripts. The vulnerability has been publicly disclosed and a fix is available in version 6.43.1.
Successful exploitation of CVE-2020-36523 allows an attacker to inject arbitrary JavaScript code into a PlantUML diagram rendered in a user's browser. This can lead to various malicious outcomes, including session hijacking, defacement of the PlantUML interface, and theft of sensitive information. The impact is particularly concerning in environments where PlantUML diagrams are used to display confidential data or are integrated into critical workflows. Because the vulnerability is triggered remotely, an attacker does not need local access to the PlantUML server to exploit it.
CVE-2020-36523 was publicly disclosed on June 3, 2022. A public proof-of-concept may exist, increasing the risk of exploitation. The vulnerability is not currently listed on CISA KEV, and there are no confirmed reports of active exploitation campaigns. The CVSS score of 3.5 (LOW) indicates a relatively low probability of exploitation, but the public disclosure necessitates prompt remediation.
Exploit Status
EPSS
0.21% (43% percentile)
CVSS Vector
The primary mitigation for CVE-2020-36523 is to upgrade PlantUML to version 6.43.1 or later, which contains the fix. If immediate upgrading is not feasible, consider implementing input validation and sanitization on any user-supplied data used within PlantUML diagrams. While a direct WAF rule is difficult to implement without specific knowledge of the attack vectors, restricting access to the Database Information Macro functionality could reduce the attack surface. After upgrading, verify the fix by attempting to inject a simple JavaScript payload into a PlantUML diagram and confirming that it is not executed.
Actualice PlantUML a una versión posterior a la 6.43 que haya corregido la vulnerabilidad de Cross-Site Scripting (XSS) en la macro de información de la base de datos. Consulte las notas de la versión o el registro de cambios de PlantUML para obtener detalles sobre la versión corregida. Si no hay una versión corregida disponible, considere deshabilitar o evitar el uso de la macro de información de la base de datos hasta que se publique una solución.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2020-36523 is a cross-site scripting (XSS) vulnerability affecting PlantUML versions 6.43 through 6.43, specifically the Database Information Macro component, allowing remote code execution.
You are affected if you are using PlantUML version 6.43. Upgrade to version 6.43.1 or later to mitigate the risk.
Upgrade PlantUML to version 6.43.1 or a later version. Consider input validation as a temporary workaround if upgrading is not immediately possible.
While there are no confirmed reports of active exploitation, the vulnerability has been publicly disclosed, increasing the potential for exploitation.
Refer to the PlantUML project's security advisories and release notes for details: https://plantuml.com/security
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.