← Voltar para CVEs
CVE-2021-39175
HIGH8.1
Descricao
HedgeDoc is a platform to write and share markdown. In versions prior to 1.9.0, an unauthenticated attacker can inject arbitrary JavaScript into the speaker-notes of the slide-mode feature by embedding an iframe hosting the malicious code into the slides or by embedding the HedgeDoc instance into another page. The problem is patched in version 1.9.0. There are no known workarounds aside from upgrading.
Detalhes CVE
Pontuacao CVSS v3.18.1
SeveridadeHIGH
Vetor CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Vetor de ataqueNETWORK
ComplexidadeLOW
Privilegios necessariosNONE
Interacao do usuarioREQUIRED
Publicado8/30/2021
Ultima modificacao11/21/2024
Fontenvd
Avistamentos honeypot0
Produtos afetados
hedgedoc:hedgedoc
Fraquezas (CWE)
CWE-74CWE-346CWE-79
Referencias
https://github.com/hedgedoc/hedgedoc/pull/1369(security-advisories@github.com)
https://github.com/hedgedoc/hedgedoc/pull/1375(security-advisories@github.com)
https://github.com/hedgedoc/hedgedoc/pull/1513(security-advisories@github.com)
https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-j748-779h-9697(security-advisories@github.com)
https://github.com/hedgedoc/hedgedoc/pull/1369(af854a3a-2127-422b-91ae-364da2661108)
https://github.com/hedgedoc/hedgedoc/pull/1375(af854a3a-2127-422b-91ae-364da2661108)
https://github.com/hedgedoc/hedgedoc/pull/1513(af854a3a-2127-422b-91ae-364da2661108)
https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-j748-779h-9697(af854a3a-2127-422b-91ae-364da2661108)
Correlacoes IOC
Sem correlacoes registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.