CVE-2021-39175
HIGHHedgeDoc < 1.9.0 - Unauthenticated Cross-Site Scripting via Slide Mode Speaker Notes
Title source: llmDescription
HedgeDoc is a platform to write and share markdown. In versions prior to 1.9.0, an unauthenticated attacker can inject arbitrary JavaScript into the speaker-notes of the slide-mode feature by embedding an iframe hosting the malicious code into the slides or by embedding the HedgeDoc instance into another page. The problem is patched in version 1.9.0. There are no known workarounds aside from upgrading.
References (4)
Core 4
Core References
Patch, Third Party Advisory x_refsource_confirm
https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-j748-779h-9697
Patch, Third Party Advisory x_refsource_misc
https://github.com/hedgedoc/hedgedoc/pull/1369
Patch, Third Party Advisory x_refsource_misc
https://github.com/hedgedoc/hedgedoc/pull/1375
Patch, Third Party Advisory x_refsource_misc
https://github.com/hedgedoc/hedgedoc/pull/1513
Scores
CVSS v3
8.1
EPSS
0.0058
EPSS Percentile
43.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Details
CWE
CWE-346
CWE-74
CWE-79
Status
published
Products (1)
hedgedoc/hedgedoc
< 1.9.0
Published
Aug 30, 2021
Tracked Since
Feb 18, 2026