Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
archlinuxArchLinuxASA-202109-1
HistorySep 14, 2021 - 12:00 a.m.

[ASA-202109-1] hedgedoc: cross-site scripting

2021-09-1400:00:00
security.archlinux.org
12

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

0.001 Low

EPSS

Percentile

43.5%

JSON

Arch Linux Security Advisory ASA-202109-1

Severity: High
Date : 2021-09-14
CVE-ID : CVE-2021-39175
Package : hedgedoc
Type : cross-site scripting
Remote : Yes
Link : https://security.archlinux.org/AVG-2331

Summary

The package hedgedoc before version 1.9.0-1 is vulnerable to cross-site
scripting.

Resolution

Upgrade to 1.9.0-1.

pacman -Syu “hedgedoc>=1.9.0-1”

The problem has been fixed upstream in version 1.9.0.

Workaround

None.

Description

In HedgeDoc versions prior to 1.9.0, an unauthenticated attacker can
inject arbitrary JavaScript into the speaker-notes of the slide-mode
feature by embedding an iframe hosting the malicious code into the
slides or by embedding the HedgeDoc instance into another page.

Impact

An unauthenticated remote attacker could execute arbitrary JavaScript
code in the slide mode of HedgeDoc.

References

https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-j748-779h-9697
https://github.com/hedgedoc/hedgedoc/pull/1369
https://github.com/hedgedoc/hedgedoc/pull/1375
https://github.com/hedgedoc/hedgedoc/pull/1513
https://security.archlinux.org/CVE-2021-39175

OSVersionArchitecturePackageVersionFilename
ArchLinuxanyanyhedgedoc< 1.9.0-1UNKNOWN

Related

cve 1
prion 1
osv 1
nvd 1
cvelist 1
cnvd 1
cve
cve
CVE-2021-39175
2021-08-30 21:15:09
prion
prion
Code injection
2021-08-30 21:15:00
osv
osv
CVE-2021-39175
2021-08-30 21:15:09
nvd
nvd
CVE-2021-39175
2021-08-30 21:15:09
cvelist
cvelist
CVE-2021-39175 XSS vector in slide mode speaker-view
2021-08-30 20:40:13
cnvd
cnvd
HedgeDoc Cross-Site Scripting Vulnerability (CNVD-2021-93909)
2021-08-31 00:00:00

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

0.001 Low

EPSS

Percentile

43.5%

JSON
Related for ASA-202109-1
cve1prion1osv1nvd1cvelist1cnvd1