Impact
An unauthenticated attacker can inject arbitrary JavaScript into the speaker-notes of the slide-mode feature by embedding an iframe hosting the malicious code into the slides or by embedding the HedgeDoc instance into another page.
Patches
This problem was fixed by
- removing the
unsafe-inline content security policy, which disallows injecting arbitrary script tags (#1369)
- removing Google Analytics from the content security policy, as it was a common way to circumvent the CSP (#1375)
- adding a config option which forbids other pages to embed a HedgeDoc instance (#1513)
Workarounds
None.
The main fix is the removal of the unsafe-inline CSP, which mandated many changes to the frontend code and build infrastructure. These can not be easily applied to older HedgeDoc instances.
For more information
If you have any questions or comments about this advisory:
eskildsen Analyst
Impact
An unauthenticated attacker can inject arbitrary JavaScript into the speaker-notes of the slide-mode feature by embedding an iframe hosting the malicious code into the slides or by embedding the HedgeDoc instance into another page.
Patches
This problem was fixed by
unsafe-inlinecontent security policy, which disallows injecting arbitraryscripttags (#1369)Workarounds
None.
The main fix is the removal of the
unsafe-inlineCSP, which mandated many changes to the frontend code and build infrastructure. These can not be easily applied to older HedgeDoc instances.For more information
If you have any questions or comments about this advisory: