HedgeDoc is open source software which lets you create real-time collaborative markdown notes. In HedgeDoc before version 1.7.2, an attacker can inject arbitrary JavaScript into a HedgeDoc note, which is executed when the note is viewed in slide mode. Depending on the configuration of the instance, the attacker may not need authentication to create or edit notes. The problem is patched in HedgeDoc 1.7.2. As a workaround, disallow loading JavaScript from 3rd party sites using the `Content-Security-Policy` header. Note that this will break some embedded content.
References
Link | Resource |
---|---|
https://github.com/hackmdio/codimd/issues/1648 | Exploit Patch Third Party Advisory |
https://github.com/hedgedoc/hedgedoc/commit/35b0d39a12aa35f27fba8c1f50b1886706e7efef | Patch Third Party Advisory |
https://github.com/hedgedoc/hedgedoc/releases/tag/1.7.2 | Release Notes Third Party Advisory |
https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-44w9-vm8p-3cxw | Third Party Advisory |
Configurations
History
08 Jun 2021, 14:36
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : 4.3
v3 : 6.1 |
References | (MISC) https://github.com/hackmdio/codimd/issues/1648 - Exploit, Patch, Third Party Advisory |
04 Jun 2021, 16:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
Summary | HedgeDoc is open source software which lets you create real-time collaborative markdown notes. In HedgeDoc before version 1.7.2, an attacker can inject arbitrary JavaScript into a HedgeDoc note, which is executed when the note is viewed in slide mode. Depending on the configuration of the instance, the attacker may not need authentication to create or edit notes. The problem is patched in HedgeDoc 1.7.2. As a workaround, disallow loading JavaScript from 3rd party sites using the `Content-Security-Policy` header. Note that this will break some embedded content. |
01 Feb 2021, 15:05
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:hedgedoc:hedgedoc:*:*:*:*:*:*:*:* | |
CVSS |
v2 : v3 : |
v2 : 4.3
v3 : 7.4 |
References | (MISC) https://github.com/hedgedoc/hedgedoc/commit/35b0d39a12aa35f27fba8c1f50b1886706e7efef - Patch, Third Party Advisory | |
References | (MISC) https://github.com/hedgedoc/hedgedoc/releases/tag/1.7.2 - Release Notes, Third Party Advisory | |
References | (CONFIRM) https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-44w9-vm8p-3cxw - Third Party Advisory |
26 Jan 2021, 18:16
Type | Values Removed | Values Added |
---|---|---|
Summary | HedgeDoc is open source software which lets you create real-time collaborative markdown notes. In HedgeDoc before version 1.7.2, an attacker can inject arbitrary JavaScript into a HedgeDoc note, which is executed when the note is viewed in slide mode. Depending on the configuration of the instance, the attacker may not need authentication to create or edit notes. The problem is patched in HedgeDoc 1.7.2. ### Workarounds Disallow loading JavaScript from 3rd party sites using the `Content-Security-Policy` header. Note that this will break some embedded content. ### References This issue was discovered by @TobiasHoll and reported to hackmdio/codimd: https://github.com/hackmdio/codimd/issues/1648 ### For more information If you have any questions or comments about this advisory: * Open an topic on our community forum * Join our matrix room |
22 Jan 2021, 17:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2021-01-22 17:15
Updated : 2023-12-10 13:41
NVD link : CVE-2021-21259
Mitre link : CVE-2021-21259
CVE.ORG link : CVE-2021-21259
JSON object : View
Products Affected
hedgedoc
- hedgedoc
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')