Hedgedoc · Hedgedoc · CVE-2021-21259
Name of the Vulnerable Software and Affected Versions:
HedgeDoc versions prior to 1.7.2
Description:
HedgeDoc is open source software that allows users to create real-time collaborative markdown notes. An attacker can inject arbitrary JavaScript into a HedgeDoc note, which is executed when the note is viewed in slide mode. Depending on the configuration of the instance, the attacker may not need authentication to create or edit notes.
Recommendations:
For HedgeDoc versions prior to 1.7.2, update to version 1.7.2 to resolve the issue.
As a temporary workaround, consider disallowing loading JavaScript from 3rd party sites using the `Content-Security-Policy` header, noting that this will break some embedded content.