CVE-2020-26287

Name of the Vulnerable Software and Affected Versions HedgeDoc versions prior to 1.7.1

Description The issue allows an attacker to inject arbitrary script tags in HedgeDoc notes using mermaid diagrams. Although the content security policy prevents loading scripts from most locations, www.google-analytics.com is allowed, which can be exploited using Google Tag Manager to inject arbitrary JavaScript and execute it on page load. Depending on the instance configuration, the attacker may not need authentication to create or edit notes.

Recommendations For HedgeDoc versions prior to 1.7.1, update to version 1.7.1 to resolve the issue. As a temporary workaround, consider disallowing www.google-analytics.com in the Content-Security-Policy header to minimize the risk of exploitation.