XSS vector in slide mode speaker-view
CVE-2021-39175

8.1HIGH

Key Information:

Vendor: Hedgedoc
Status: Hedgedoc
Vendor: CVE Published:; 30 August 2021

What is CVE-2021-39175?

HedgeDoc is a platform to write and share markdown. In versions prior to 1.9.0, an unauthenticated attacker can inject arbitrary JavaScript into the speaker-notes of the slide-mode feature by embedding an iframe hosting the malicious code into the slides or by embedding the HedgeDoc instance into another page. The problem is patched in version 1.9.0. There are no known workarounds aside from upgrading.

Affected Version(s)

hedgedoc < 1.9.0

References

https://github.com/hedgedoc/hedgedoc/security/advisories/...

x_refsource_CONFIRM

https://github.com/hedgedoc/hedgedoc/pull/1369

x_refsource_MISC

https://github.com/hedgedoc/hedgedoc/pull/1375

x_refsource_MISC

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 30, 2021
Vulnerability Reserved
Aug 16, 2021

Hedgedoc

What is CVE-2021-39175?

Affected Version(s)

References

CVSS V3.1

Timeline