Hedgedoc
CVE-2021-29503
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionNVD
HedgeDoc is a platform to write and share markdown. HedgeDoc before version 1.8.2 is vulnerable to a cross-site scripting attack using the YAML-metadata of a note. An attacker with write access to a note can embed HTML tags in the Open Graph metadata section of the note, resulting in the frontend rendering the script tag as part of the <head> section. Unless your instance prevents guests from editing notes, this vulnerability allows unauthenticated attackers to inject JavaScript into notes that allow guest edits. If your instance prevents guests from editing notes, this vulnerability allows authenticated attackers to inject JavaScript into any note pages they have write-access to. This vulnerability is patched in version 1.8.2. As a workaround, one can disable guest edits until the next update.
AnalysisAI
HedgeDoc is a platform to write and share markdown. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Technical ContextAI
This vulnerability is classified under CWE-80. HedgeDoc is a platform to write and share markdown. HedgeDoc before version 1.8.2 is vulnerable to a cross-site scripting attack using the YAML-metadata of a note. An attacker with write access to a note can embed HTML tags in the Open Graph metadata section of the note, resulting in the frontend rendering the script tag as part of the <head> section. Unless your instance prevents guests from editing notes, this vulnerability allows unauthenticated attackers to inject JavaScript into notes that allow guest edits. If your instance prevents guests from editing notes, this vulnerability allows authenticated attackers to inject JavaScript into any note pages they have write-access to. This vulnerability is patched in version 1.8.2. As a workaround, one can disable guest edits until the next update. Affected products include: Hedgedoc. Version information: version 1.8.2.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
HedgeDoc is a collaborative platform for writing and sharing markdown. Rated high severity (CVSS 8.7), this vulnerabilit
HedgeDoc is software for creating real-time collaborative markdown notes. Rated high severity (CVSS 8.2), this vulnerabi
HedgeDoc is an open source, real-time, collaborative, markdown notes application. Rated medium severity (CVSS 6.5), this
HedgeDoc is open source software which lets you create real-time collaborative markdown notes. Rated medium severity (CV
HedgeDoc (formerly known as CodiMD) is an open-source collaborative markdown editor. Rated critical severity (CVSS 10.0)
HedgeDoc (formerly known as CodiMD) is an open-source collaborative markdown editor. Rated medium severity (CVSS 5.8), t
Denial of service in HedgeDoc before 1.11.0 lets a user who can store a note crash the instance by embedding a YAML "ali
HedgeDoc is a collaborative platform for writing and sharing markdown. Rated high severity (CVSS 7.5), this vulnerabilit
Rate-limiting bypass in HedgeDoc prior to 1.11.0 permits unauthenticated remote attackers to circumvent brute-force prot
HedgeDoc's GitHub Gist export feature exposes private and protected note content to attacker-controlled GitHub accounts
HedgeDoc is an open source, real-time, collaborative, markdown notes application. Rated medium severity (CVSS 6.4), this
HedgeDoc is a platform to write and share markdown. Rated medium severity (CVSS 6.1), this vulnerability is remotely exp
Same weakness CWE-80 – Basic XSS
View allShare
External POC / Exploit Code
Leaving vuln.today