Vulnerability Details : CVE-2021-39175
HedgeDoc is a platform to write and share markdown. In versions prior to 1.9.0, an unauthenticated attacker can inject arbitrary JavaScript into the speaker-notes of the slide-mode feature by embedding an iframe hosting the malicious code into the slides or by embedding the HedgeDoc instance into another page. The problem is patched in version 1.9.0. There are no known workarounds aside from upgrading.
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2021-39175
- cpe:2.3:a:hedgedoc:hedgedoc:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-39175
0.15%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 51 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-39175
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:N |
8.6
|
2.9
|
NIST | |
6.1
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
2.8
|
2.7
|
NIST | |
8.1
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N |
2.8
|
5.2
|
GitHub, Inc. |
CWE ids for CVE-2021-39175
-
The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.Assigned by: security-advisories@github.com (Secondary)
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: nvd@nist.gov (Primary)
-
The product does not properly verify that the source of data or communication is valid.Assigned by: security-advisories@github.com (Secondary)
References for CVE-2021-39175
-
https://github.com/hedgedoc/hedgedoc/pull/1375
Disable GA and Disqus in default CSP by davidmehren · Pull Request #1375 · hedgedoc/hedgedoc · GitHubPatch;Third Party Advisory
-
https://github.com/hedgedoc/hedgedoc/pull/1369
Remove unsafe-eval from default CSP by davidmehren · Pull Request #1369 · hedgedoc/hedgedoc · GitHubPatch;Third Party Advisory
-
https://github.com/hedgedoc/hedgedoc/pull/1513
Tighten up Content-Security-Policy by davidmehren · Pull Request #1513 · hedgedoc/hedgedoc · GitHubPatch;Third Party Advisory
-
https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-j748-779h-9697
XSS vector in slide mode speaker-view · Advisory · hedgedoc/hedgedoc · GitHubPatch;Third Party Advisory
Jump to