49 matches found
CVE-2025-46655
CVE-2025-46655 affects CodiMD up to version 2.5.4. The issue is a bypass of the CSP-based XSS protection for SVG uploads when using cross-origin file storage (e.g., AWS S3) in configurations where the architecture cannot insert Content-Security-Policy headers. This can allow XSS in certain storag...
CVE-2025-46655
CodiMD through 2.5.4 has a CSP-based protection mechanism against XSS through uploaded SVG documents containing JavaScript, but it can be bypassed in certain cases of different-origin file storage, such as AWS S3. NOTE: it can be considered a user error if AWS is employed for hosting untrusted...
CVE-2025-46654
CodiMD through 2.2.0 has a CSP-based protection mechanism against XSS through uploaded JavaScript content, but it can be bypassed by uploading a .html file that references an uploaded .js file...
CVE-2024-38354
CodiMD allows realtime collaborative markdown notes on all platforms. The notebook feature of Hackmd.io permits the rendering of iframe HTML tags with an improperly sanitized name attribute. This vulnerability enables attackers to perform cross-site scripting XSS attacks via DOM clobbering. This...
CVE-2024-38354
CodiMD allows realtime collaborative markdown notes on all platforms. The notebook feature of Hackmd.io permits the rendering of iframe HTML tags with an improperly sanitized name attribute. This vulnerability enables attackers to perform cross-site scripting XSS attacks via DOM clobbering. This...
CVE-2024-38353
CodiMD allows realtime collaborative markdown notes on all platforms. CodiMD before 2.5.4 is missing authentication and access control vulnerability allowing an unauthenticated attacker to gain unauthorised access to image data uploaded to CodiMD. CodiMD does not require valid authentication to...
CVE-2024-38353 CodiMD - Missing Image Access Controls and Unauthorized Image Access
CodiMD allows realtime collaborative markdown notes on all platforms. CodiMD before 2.5.4 is missing authentication and access control vulnerability allowing an unauthenticated attacker to gain unauthorised access to image data uploaded to CodiMD. CodiMD does not require valid authentication to...
CVE-2024-38353 CodiMD - Missing Image Access Controls and Unauthorized Image Access
CodiMD allows realtime collaborative markdown notes on all platforms. CodiMD before 2.5.4 is missing authentication and access control vulnerability allowing an unauthenticated attacker to gain unauthorised access to image data uploaded to CodiMD. CodiMD does not require valid authentication to...
CVE-2024-38353
CVE-2024-38353 (CodiMD) affects CodiMD prior to 2.5.4, where an unauthenticated attacker can access uploaded image data due to missing authentication and access controls. The underlying issue is insecure filename generation in the Formidable library, enabling an attacker who can guess an image UR...
CVE-2024-38353 CodiMD - Missing Image Access Controls and Unauthorized Image Access
CodiMD allows realtime collaborative markdown notes on all platforms. CodiMD before 2.5.4 is missing authentication and access control vulnerability allowing an unauthenticated attacker to gain unauthorised access to image data uploaded to CodiMD. CodiMD does not require valid authentication to...
CVE-2024-38354 Cross-site Scripting in Hackmd.io Notes lead by HTML Injection
CodiMD allows realtime collaborative markdown notes on all platforms. The notebook feature of Hackmd.io permits the rendering of iframe HTML tags with an improperly sanitized name attribute. This vulnerability enables attackers to perform cross-site scripting XSS attacks via DOM clobbering. This...
CVE-2024-38354 Cross-site Scripting in Hackmd.io Notes lead by HTML Injection
CodiMD allows realtime collaborative markdown notes on all platforms. The notebook feature of Hackmd.io permits the rendering of iframe HTML tags with an improperly sanitized name attribute. This vulnerability enables attackers to perform cross-site scripting XSS attacks via DOM clobbering. This...
CVE-2024-38354
CVE-2024-38354 affects CodiMD/HackMD.io notes, where the notebook feature allows rendering of iframe HTML tags with an improperly sanitized name attribute, enabling DOM clobbering-based XSS. The issue, fixed in version 2.5.4, impacts note collaboration environments that render untrusted HTML. No ...
CVE-2024-38354 Cross-site Scripting in Hackmd.io Notes lead by HTML Injection
CodiMD allows realtime collaborative markdown notes on all platforms. The notebook feature of Hackmd.io permits the rendering of iframe HTML tags with an improperly sanitized name attribute. This vulnerability enables attackers to perform cross-site scripting XSS attacks via DOM clobbering. This...
CodiMD Security Vulnerabilities
CodiMD is a real-time collaborative note-taking application open-sourced by HackMD. A security vulnerability exists in CodiMD version 2.5.3 that stems from a lack of authentication and access control vulnerability that allows an unauthenticated attacker to gain unauthorized access to uploaded ima...
CodiMD Security Vulnerabilities
CodiMD is a real-time collaborative note-taking application open-sourced by HackMD. A security vulnerability exists in CodiMD version 2.5.3, which stems from a vulnerability that allows rendering of HTML tags with improperly cleaned up tags, which enables an attacker to perform cross-site scripti...
CVE-2024-22778
HackMD CodiMD 2.5.2 is vulnerable to Denial of Service...
CVE-2024-22778
HackMD CodiMD 2.5.2 is vulnerable to Denial of Service...
Denial of service
HackMD CodiMD 2.5.2 is vulnerable to Denial of Service...
CVE-2024-22778
HackMD CodiMD 2.5.2 is vulnerable to Denial of Service...