CVE-2025-46654
- EPSS 0.16%
- Veröffentlicht 26.04.2025 00:00:00
- Zuletzt bearbeitet 05.08.2025 15:14:39
CodiMD through 2.2.0 has a CSP-based protection mechanism against XSS through uploaded JavaScript content, but it can be bypassed by uploading a .html file that references an uploaded .js file.
CVE-2025-46655
- EPSS 0.15%
- Veröffentlicht 26.04.2025 00:00:00
- Zuletzt bearbeitet 29.04.2025 16:15:37
CodiMD through 2.5.4 has a CSP-based protection mechanism against XSS through uploaded SVG documents containing JavaScript, but it can be bypassed in certain cases of different-origin file storage, such as AWS S3. NOTE: it can be considered a user er...
CVE-2024-38353
- EPSS 5.32%
- Veröffentlicht 10.07.2024 20:15:04
- Zuletzt bearbeitet 04.09.2025 14:49:09
CodiMD allows realtime collaborative markdown notes on all platforms. CodiMD before 2.5.4 is missing authentication and access control vulnerability allowing an unauthenticated attacker to gain unauthorised access to image data uploaded to CodiMD. Co...
CVE-2024-38354
- EPSS 0.97%
- Veröffentlicht 10.07.2024 20:15:04
- Zuletzt bearbeitet 21.11.2024 09:25:25
CodiMD allows realtime collaborative markdown notes on all platforms. The notebook feature of Hackmd.io permits the rendering of iframe `HTML` tags with an improperly sanitized `name` attribute. This vulnerability enables attackers to perform cross-s...
CVE-2024-22778
- EPSS 0.5%
- Veröffentlicht 21.02.2024 15:15:09
- Zuletzt bearbeitet 06.05.2025 12:26:00
HackMD CodiMD <2.5.2 is vulnerable to Denial of Service.
CVE-2019-15499
- EPSS 0.24%
- Veröffentlicht 23.08.2019 04:15:11
- Zuletzt bearbeitet 21.11.2024 04:28:52
CodiMD 1.3.1, when Safari is used, allows XSS via an IFRAME element with allow-top-navigation in the sandbox attribute, in conjunction with a data: URL.