CVE-2021-39175

CVSS v3.1

8.1

High

Vector

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Name of the Vulnerable Software and Affected Versions HedgeDoc versions prior to 1.9.0

Description HedgeDoc is a platform to write and share markdown. In versions prior to 1.9.0, an unauthenticated attacker can inject arbitrary JavaScript into the speaker-notes of the slide-mode feature by embedding an iframe hosting the malicious code into the slides or by embedding the HedgeDoc instance into another page.

Recommendations For versions prior to 1.9.0, upgrade to version 1.9.0 to resolve the issue. As a temporary workaround, consider restricting the use of the slide-mode feature until the upgrade is applied. Additionally, avoid embedding the HedgeDoc instance into other pages or embedding iframes hosting malicious code into the slides until the issue is resolved.

Fix

Special Elements Injection

XSS

Origin Validation Error

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-74CWE-79CWE-346

Related Identifiers

CVE-2021-39175

GHSA-J748-779H-9697

Affected Products

Hedgedoc

CVE-2021-39175

Weakness Enumeration

Related Identifiers

Affected Products

References · 8