CVE-2021-46888

Name of the Vulnerable Software and Affected Versions hledger versions prior to 1.23 hledger-web versions prior to 1.23

Description A Stored Cross-Site Scripting (XSS) issue exists in the toBloodhoundJson function, allowing an attacker to execute JavaScript by encoding user-controlled values in a payload with base64 and parsing them with the atob function. The hledger-web forms sanitize obvious JavaScript but not obfuscated JavaScript, making instances, especially anonymously-writable ones, vulnerable to malicious JavaScript execution by subsequent visitors.

Recommendations For hledger versions prior to 1.23, update to version 1.23 or later to resolve the issue. For hledger-web versions prior to 1.23, update to version 1.23 or later to resolve the issue. As a temporary workaround, consider disabling the toBloodhoundJson function until a patch is available. Restrict access to anonymously-writable hledger-web instances to minimize the risk of exploitation.