Hedgedoc · Hedgedoc · CVE-2021-29503
Name of the Vulnerable Software and Affected Versions:
HedgeDoc versions prior to 1.8.2
Description:
The issue allows an attacker with write access to a note to embed HTML tags in the Open Graph metadata section, resulting in the frontend rendering the script tag as part of the head section. This can be exploited by unauthenticated attackers if guest edits are allowed, or by authenticated attackers who have write-access to notes.
Recommendations:
For HedgeDoc versions prior to 1.8.2, update to version 1.8.2 to resolve the issue. As a temporary workaround, consider disabling guest edits until the update is applied.