ArchLinux: 202109-1: hedgedoc: cross-site scripting

Advisories

Arch Linux Security Advisory ASA-202109-1
=========================================

Severity: High
Date    : 2021-09-14
CVE-ID  : CVE-2021-39175
Package : hedgedoc
Type    : cross-site scripting
Remote  : Yes
Link    : https://security.archlinux.org/AVG-2331

Summary
=======

The package hedgedoc before version 1.9.0-1 is vulnerable to cross-site
scripting.

Resolution
==========

Upgrade to 1.9.0-1.

# pacman -Syu "hedgedoc>=1.9.0-1"

The problem has been fixed upstream in version 1.9.0.

Workaround
==========

None.

Description
===========

In HedgeDoc versions prior to 1.9.0, an unauthenticated attacker can
inject arbitrary JavaScript into the speaker-notes of the slide-mode
feature by embedding an iframe hosting the malicious code into the
slides or by embedding the HedgeDoc instance into another page.

Impact
======

An unauthenticated remote attacker could execute arbitrary JavaScript
code in the slide mode of HedgeDoc.

References
==========

https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-j748-779h-9697
https://github.com/hedgedoc/hedgedoc/pull/1369
https://github.com/hedgedoc/hedgedoc/pull/1375
https://github.com/hedgedoc/hedgedoc/pull/1513
https://security.archlinux.org/CVE-2021-39175

ArchLinux: 202109-1: hedgedoc: cross-site scripting

September 15, 2021
The package hedgedoc before version 1.9.0-1 is vulnerable to cross-site scripting

Summary

In HedgeDoc versions prior to 1.9.0, an unauthenticated attacker can inject arbitrary JavaScript into the speaker-notes of the slide-mode feature by embedding an iframe hosting the malicious code into the slides or by embedding the HedgeDoc instance into another page.

Resolution

Upgrade to 1.9.0-1.
# pacman -Syu "hedgedoc>=1.9.0-1"
The problem has been fixed upstream in version 1.9.0.

References

https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-j748-779h-9697 https://github.com/hedgedoc/hedgedoc/pull/1369 https://github.com/hedgedoc/hedgedoc/pull/1375 https://github.com/hedgedoc/hedgedoc/pull/1513 https://security.archlinux.org/CVE-2021-39175

Severity
CVE-ID : CVE-2021-39175
Package : hedgedoc
Type : cross-site scripting
Remote : Yes
Link : https://security.archlinux.org/AVG-2331

Impact

An unauthenticated remote attacker could execute arbitrary JavaScript code in the slide mode of HedgeDoc.

Workaround

None.

Related News

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.