Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Stored XSS in mermaid diagrams
Vulnerability Description
HedgeDoc is a collaborative platform for writing and sharing markdown. In HedgeDoc before version 1.7.1 an attacker can inject arbitrary `script` tags in HedgeDoc notes using mermaid diagrams. Our content security policy prevents loading scripts from most locations, but `www.google-analytics.com` is allowed. Using Google Tag Manger it is possible to inject arbitrary JavaScript and execute it on page load. Depending on the configuration of the instance, the attacker may not need authentication to create or edit notes. The problem is patched in HedgeDoc 1.7.1. As a workaround one can disallow `www.google-analytics.com` in the `Content-Security-Policy` header. Note that other ways to leverage the `script` tag injection might exist.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Vulnerability Title
Hedgedoc 跨站脚本漏洞
Vulnerability Description
Hedgedoc是Hedgedoc团队的一个基于Javascript的Markdown文档实时编辑分享平台。 HedgeDoc 1.7.1之前版本存在安全漏洞,攻击者可利用该漏洞可以在HedgeDoc notes中注入任意的“脚本”标签。我们的内容安全策略禁止从大多数位置加载脚本,但“www.google-analytics.com”是允许的。使用谷歌标签管理器可以注入任意JavaScript并在页面加载时执行它。
CVSS Information
N/A
Vulnerability Type
N/A