Vulnerability Description
HedgeDoc is a platform to write and share markdown. In versions prior to 1.9.0, an unauthenticated attacker can inject arbitrary JavaScript into the speaker-notes of the slide-mode feature by embedding an iframe hosting the malicious code into the slides or by embedding the HedgeDoc instance into another page. The problem is patched in version 1.9.0. There are no known workarounds aside from upgrading.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Hedgedoc | Hedgedoc | < 1.9.0 |
Related Weaknesses (CWE)
References
- https://github.com/hedgedoc/hedgedoc/pull/1369PatchThird Party Advisory
- https://github.com/hedgedoc/hedgedoc/pull/1375PatchThird Party Advisory
- https://github.com/hedgedoc/hedgedoc/pull/1513PatchThird Party Advisory
- https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-j748-779h-9697PatchThird Party Advisory
- https://github.com/hedgedoc/hedgedoc/pull/1369PatchThird Party Advisory
- https://github.com/hedgedoc/hedgedoc/pull/1375PatchThird Party Advisory
- https://github.com/hedgedoc/hedgedoc/pull/1513PatchThird Party Advisory
- https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-j748-779h-9697PatchThird Party Advisory
FAQ
What is CVE-2021-39175?
CVE-2021-39175 is a vulnerability with a CVSS score of 8.1 (HIGH). HedgeDoc is a platform to write and share markdown. In versions prior to 1.9.0, an unauthenticated attacker can inject arbitrary JavaScript into the speaker-notes of the slide-mode feature by embeddin...
How severe is CVE-2021-39175?
CVE-2021-39175 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-39175?
Check the references section above for vendor advisories and patch information. Affected products include: Hedgedoc Hedgedoc.