8.7

CVE-2020-26287

Exploit

Stored XSS in mermaid diagrams

HedgeDoc is a collaborative platform for writing and sharing markdown. In HedgeDoc before version 1.7.1 an attacker can inject arbitrary `script` tags in HedgeDoc notes using mermaid diagrams. Our content security policy prevents loading scripts from most locations, but `www.google-analytics.com` is allowed. Using Google Tag Manger it is possible to inject arbitrary JavaScript and execute it on page load. Depending on the configuration of the instance, the attacker may not need authentication to create or edit notes. The problem is patched in HedgeDoc 1.7.1. As a workaround one can disallow `www.google-analytics.com` in the `Content-Security-Policy` header. Note that other ways to leverage the `script` tag injection might exist.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
HedgedocHedgedoc Version < 1.7.1
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 1.45% 0.699
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 8.7 2.3 5.8
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
nvd@nist.gov 4.3 8.6 2.9
AV:N/AC:M/Au:N/C:N/I:P/A:N
security-advisories@github.com 8.7 2.3 5.8
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://github.com/hedgedoc/hedgedoc/releases/tag/1.7.1
Third Party Advisory
https://github.com/Alemmi/ctf-writeups/blob/main/hxpctf-2020/hackme/solution.md
Third Party Advisory
Exploit
https://github.com/hackmdio/codimd/issues/1630
Third Party Advisory
https://github.com/hedgedoc/hedgedoc/commit/58276ebbf4504a682454a3686dcaff88bc1069d4
Patch
Third Party Advisory
https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-g6w6-7xf9-m95p
Third Party Advisory