CVE-2021-21259

Опубликовано: 22 янв. 2021

Источник: nvd

CVSS3: 7.4

CVSS3: 6.1

CVSS2: 4.3

EPSS Низкий

Описание

HedgeDoc is open source software which lets you create real-time collaborative markdown notes. In HedgeDoc before version 1.7.2, an attacker can inject arbitrary JavaScript into a HedgeDoc note, which is executed when the note is viewed in slide mode. Depending on the configuration of the instance, the attacker may not need authentication to create or edit notes. The problem is patched in HedgeDoc 1.7.2. As a workaround, disallow loading JavaScript from 3rd party sites using the Content-Security-Policy header. Note that this will break some embedded content.

Ссылки

https://github.com/hackmdio/codimd/issues/1648
Exploit
Patch
Third Party Advisory
https://github.com/hedgedoc/hedgedoc/commit/35b0d39a12aa35f27fba8c1f50b1886706e7efef
Patch
Third Party Advisory
https://github.com/hedgedoc/hedgedoc/releases/tag/1.7.2
Release Notes
Third Party Advisory
https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-44w9-vm8p-3cxw
Third Party Advisory
https://github.com/hackmdio/codimd/issues/1648
Exploit
Patch
Third Party Advisory
https://github.com/hedgedoc/hedgedoc/commit/35b0d39a12aa35f27fba8c1f50b1886706e7efef
Patch
Third Party Advisory
https://github.com/hedgedoc/hedgedoc/releases/tag/1.7.2
Release Notes
Third Party Advisory
https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-44w9-vm8p-3cxw
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:hedgedoc:hedgedoc:*:*:*:*:*:*:*:*

Версия до 1.7.2 (исключая)

EPSS

Процентиль: 50%

0.0027

Низкий

7.4 High

CVSS3

6.1 Medium

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-79

EPSS

Процентиль: 50%

0.0027

Низкий

7.4 High

CVSS3

6.1 Medium

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-79