Stored XSS in mermaid diagrams
CVE-2020-26287

8.7HIGH

Key Information:

Vendor: Hedgedoc
Status: Hedgedoc
Vendor: CVE Published:; 29 December 2020

What is CVE-2020-26287?

HedgeDoc is a collaborative platform for writing and sharing markdown. In HedgeDoc before version 1.7.1 an attacker can inject arbitrary script tags in HedgeDoc notes using mermaid diagrams. Our content security policy prevents loading scripts from most locations, but www.google-analytics.com is allowed. Using Google Tag Manger it is possible to inject arbitrary JavaScript and execute it on page load. Depending on the configuration of the instance, the attacker may not need authentication to create or edit notes. The problem is patched in HedgeDoc 1.7.1. As a workaround one can disallow www.google-analytics.com in the Content-Security-Policy header. Note that other ways to leverage the script tag injection might exist.

Affected Version(s)

hedgedoc < 1.7.1

References

https://github.com/hedgedoc/hedgedoc/releases/tag/1.7.1

x_refsource_MISC

https://github.com/hedgedoc/hedgedoc/security/advisories/...

x_refsource_CONFIRM

https://github.com/hackmdio/codimd/issues/1630

x_refsource_MISC

CVSS V3.1

Score:

8.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 29, 2020
Vulnerability Reserved
Oct 1, 2020

Hedgedoc

What is CVE-2020-26287?

Affected Version(s)

References

CVSS V3.1

Timeline