Impact
An attacker can inject arbitrary JavaScript into a HedgeDoc note, which is executed when the note is viewed in slide mode.
Depending on the configuration of the instance, the attacker may not need authentication to create or edit notes.
Patches
The problem is patched in HedgeDoc 1.7.2.
Workarounds
Disallow loading JavaScript from 3rd party sites using the Content-Security-Policy header. Note that this will break some embedded content.
References
This issue was discovered by @TobiasHoll and reported to hackmdio/codimd: hackmdio/codimd#1648
For more information
If you have any questions or comments about this advisory:
TobiasHoll Analyst
Impact
An attacker can inject arbitrary JavaScript into a HedgeDoc note, which is executed when the note is viewed in slide mode.
Depending on the configuration of the instance, the attacker may not need authentication to create or edit notes.
Patches
The problem is patched in HedgeDoc 1.7.2.
Workarounds
Disallow loading JavaScript from 3rd party sites using the
Content-Security-Policyheader. Note that this will break some embedded content.References
This issue was discovered by @TobiasHoll and reported to hackmdio/codimd: hackmdio/codimd#1648
For more information
If you have any questions or comments about this advisory: