CVE-2021-21259 — HIGH (7.4)

Q: How severe is CVE-2021-21259?

CVE-2021-21259 has been rated HIGH with a CVSS base score of 7.4/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2021-21259?

Check the references section above for vendor advisories and patch information. Affected products include: Hedgedoc Hedgedoc.

Vulnerability Description

HedgeDoc is open source software which lets you create real-time collaborative markdown notes. In HedgeDoc before version 1.7.2, an attacker can inject arbitrary JavaScript into a HedgeDoc note, which is executed when the note is viewed in slide mode. Depending on the configuration of the instance, the attacker may not need authentication to create or edit notes. The problem is patched in HedgeDoc 1.7.2. As a workaround, disallow loading JavaScript from 3rd party sites using the `Content-Security-Policy` header. Note that this will break some embedded content.

CVSS Score

7.4

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality

NONE

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Hedgedoc	Hedgedoc	< 1.7.2

Related Weaknesses (CWE)

CWE-79

References

https://github.com/hackmdio/codimd/issues/1648ExploitPatchThird Party Advisory
https://github.com/hedgedoc/hedgedoc/commit/35b0d39a12aa35f27fba8c1f50b1886706e7PatchThird Party Advisory
https://github.com/hedgedoc/hedgedoc/releases/tag/1.7.2Release NotesThird Party Advisory
https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-44w9-vm8p-3cxwThird Party Advisory
https://github.com/hackmdio/codimd/issues/1648ExploitPatchThird Party Advisory
https://github.com/hedgedoc/hedgedoc/commit/35b0d39a12aa35f27fba8c1f50b1886706e7PatchThird Party Advisory
https://github.com/hedgedoc/hedgedoc/releases/tag/1.7.2Release NotesThird Party Advisory
https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-44w9-vm8p-3cxwThird Party Advisory

FAQ

What is CVE-2021-21259?

CVE-2021-21259 is a vulnerability with a CVSS score of 7.4 (HIGH). HedgeDoc is open source software which lets you create real-time collaborative markdown notes. In HedgeDoc before version 1.7.2, an attacker can inject arbitrary JavaScript into a HedgeDoc note, which...

How severe is CVE-2021-21259?

CVE-2021-21259 has been rated HIGH with a CVSS base score of 7.4/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-21259?

Check the references section above for vendor advisories and patch information. Affected products include: Hedgedoc Hedgedoc.