CVE-2025-58172 is a cross-site scripting (XSS) vulnerability identified in the open-source whiteboard tool drawnix, versions prior to 0.3.0. The vulnerability arises from improper neutralization of user input during web page generation, specifically within the debug logging functionality. The root cause is that user-controlled content is directly inserted into the DOM using innerHTML without any sanitization or encoding. This occurs when the global function __drawnix__web__console is invoked, as seen in the source code at apps/web/src/app/app.tsx where the statement div.innerHTML = value is executed. Because innerHTML parses the string as HTML, any malicious JavaScript embedded in the input can execute in the context of the application. An attacker can exploit this vulnerability if they can cause untrusted data to be passed to the debug logger, for example via a malicious browser extension or through other injection vectors. Successful exploitation could lead to arbitrary JavaScript execution, which may expose sensitive user data, enable unauthorized actions such as session hijacking, or facilitate further attacks like privilege escalation or lateral movement within the application environment. The vulnerability has been fixed in drawnix version 0.3.0 by presumably implementing proper input sanitization or encoding before inserting content into the DOM. There are no known workarounds, so upgrading to version 0.3.0 or later is the recommended remediation. The CVSS v4.0 base score is 5.3 (medium severity), reflecting the network attack vector, low complexity, no privileges or authentication required, but requiring user interaction and resulting in limited confidentiality and integrity impact.

For European organizations using drawnix as a collaborative whiteboard tool, this vulnerability poses a moderate risk. Since drawnix is an open-source tool often used for real-time collaboration, exploitation could allow attackers to execute arbitrary scripts within the context of the application, potentially exposing sensitive intellectual property, user credentials, or internal communications. This could lead to data leakage or unauthorized actions within the collaborative environment. The impact is heightened in sectors where sensitive or regulated data is shared, such as finance, healthcare, or government agencies. Additionally, if attackers leverage this XSS vulnerability as a foothold, they may escalate attacks to compromise broader organizational systems. However, the requirement for user interaction and the need for an injection vector to pass malicious data to the debug logger somewhat limits the ease of exploitation. Still, the widespread adoption of browser extensions and plugins in enterprise environments could increase the attack surface. The absence of known exploits in the wild suggests limited current exploitation, but the vulnerability should be addressed promptly to prevent future attacks.

The primary mitigation is to upgrade drawnix to version 0.3.0 or later, where the vulnerability is fixed. Organizations should ensure their deployment and update policies include timely patching of open-source tools like drawnix. Additionally, to reduce risk before patching, organizations can: 1) Restrict the installation of untrusted or unnecessary browser extensions that could inject malicious data into the application context. 2) Implement Content Security Policy (CSP) headers to limit the execution of inline scripts and reduce the impact of XSS attacks. 3) Monitor application logs and user activity for unusual behavior indicative of exploitation attempts. 4) Conduct security awareness training to educate users about the risks of interacting with untrusted content or extensions. 5) If possible, isolate the drawnix application environment to limit lateral movement in case of compromise. These steps complement patching and help reduce the attack surface and potential impact.