Impact
An unauthenticated attacker can inject arbitrary JavaScript into the speaker-notes of the slide-mode feature by embedding an iframe hosting the malicious code into the slides or by embedding the HedgeDoc instance into another page.
Patches
This problem was fixed by
- removing the
unsafe-inline
content security policy, which disallows injecting arbitrary script
tags (#1369)
- removing Google Analytics from the content security policy, as it was a common way to circumvent the CSP (#1375)
- adding a config option which forbids other pages to embed a HedgeDoc instance (#1513)
Workarounds
None.
The main fix is the removal of the unsafe-inline
CSP, which mandated many changes to the frontend code and build infrastructure. These can not be easily applied to older HedgeDoc instances.
For more information
If you have any questions or comments about this advisory:
Impact
An unauthenticated attacker can inject arbitrary JavaScript into the speaker-notes of the slide-mode feature by embedding an iframe hosting the malicious code into the slides or by embedding the HedgeDoc instance into another page.
Patches
This problem was fixed by
unsafe-inline
content security policy, which disallows injecting arbitraryscript
tags (#1369)Workarounds
None.
The main fix is the removal of the
unsafe-inline
CSP, which mandated many changes to the frontend code and build infrastructure. These can not be easily applied to older HedgeDoc instances.For more information
If you have any questions or comments about this advisory: