CVE-2021-21259
Summary
| CVE | CVE-2021-21259 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2021-01-22 17:15:00 UTC |
| Updated | 2021-06-08 14:36:00 UTC |
| Description | HedgeDoc is open source software which lets you create real-time collaborative markdown notes. In HedgeDoc before version 1.7.2, an attacker can inject arbitrary JavaScript into a HedgeDoc note, which is executed when the note is viewed in slide mode. Depending on the configuration of the instance, the attacker may not need authentication to create or edit notes. The problem is patched in HedgeDoc 1.7.2. As a workaround, disallow loading JavaScript from 3rd party sites using the `Content-Security-Policy` header. Note that this will break some embedded content. |
Risk And Classification
Problem Types: CWE-79
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Stored XSS in slide mode · Advisory · hedgedoc/hedgedoc · GitHub | CONFIRM | github.com | Third Party Advisory |
| Stored XSS in slide mode (via reveal-markdown) · Issue #1648 · hackmdio/codimd · GitHub | MISC | github.com | |
| added sanitation to the slideMode in frontmatter · hedgedoc/hedgedoc@35b0d39 · GitHub | MISC | github.com | Patch, Third Party Advisory |
| Release HedgeDoc 1.7.2 · hedgedoc/hedgedoc · GitHub | MISC | github.com | Release Notes, Third Party Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.