NVD Vulnerability Detail

CVE-2020-26287

Summary	HedgeDoc is a collaborative platform for writing and sharing markdown. In HedgeDoc before version 1.7.1 an attacker can inject arbitrary `script` tags in HedgeDoc notes using mermaid diagrams. Our content security policy prevents loading scripts from most locations, but `www.google-analytics.com` is allowed. Using Google Tag Manger it is possible to inject arbitrary JavaScript and execute it on page load. Depending on the configuration of the instance, the attacker may not need authentication to create or edit notes. The problem is patched in HedgeDoc 1.7.1. As a workaround one can disallow `www.google-analytics.com` in the `Content-Security-Policy` header. Note that other ways to leverage the `script` tag injection might exist.
Publication Date	Dec. 29, 2020, 9:15 a.m.
Registration Date	Jan. 26, 2021, 11:56 a.m.
Last Update	Nov. 21, 2024, 2:19 p.m.

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:hedgedoc:hedgedoc::::::::					1.7.1

Related information, measures and tools

No	URL	タグ
1	https://github.com/Alemmi/ctf-writeups/blob/main/hxpctf-2020/hackme/solution.md	Exploit Third Party Advisory
2	https://github.com/Alemmi/ctf-writeups/blob/main/hxpctf-2020/hackme/solution.md	Exploit Third Party Advisory
3	https://github.com/hackmdio/codimd/issues/1630	Third Party Advisory
4	https://github.com/hackmdio/codimd/issues/1630	Third Party Advisory
5	https://github.com/hedgedoc/hedgedoc/commit/58276ebbf4504a682454a3686dcaff88bc1069d4	Patch Third Party Advisory
6	https://github.com/hedgedoc/hedgedoc/commit/58276ebbf4504a682454a3686dcaff88bc1069d4	Patch Third Party Advisory
7	https://github.com/hedgedoc/hedgedoc/releases/tag/1.7.1	Third Party Advisory
8	https://github.com/hedgedoc/hedgedoc/releases/tag/1.7.1	Third Party Advisory
9	https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-g6w6-7xf9-m95p	Third Party Advisory
10	https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-g6w6-7xf9-m95p	Third Party Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-79	クロスサイト・スクリプティング（XSS）	https://cwe.mitre.org/data/definitions/79.html

JVN Vulnerability Information

HedgeDoc におけるクロスサイトスクリプティングの脆弱性

Title	HedgeDoc におけるクロスサイトスクリプティングの脆弱性
Summary	HedgeDoc には、クロスサイトスクリプティングの脆弱性が存在します。
Possible impacts	情報を取得される、および情報を改ざんされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Dec. 28, 2020, midnight
Registration Date	Sept. 3, 2021, 4:21 p.m.
Last Update	Sept. 3, 2021, 4:21 p.m.

Affected System

HedgeDoc

HedgeDoc 1.7.1 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2020-26287	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-CVE-2020-26287
National Vulnerability Database (NVD)
2	CVE-2020-26287	https://nvd.nist.gov/vuln/detail/CVE-2020-26287

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-79	https://jvndb.jvn.jp/ja/cwe/CWE-79.html

ベンダー情報

No	Name	URL
GitHub
1	HedgeDoc 1.7.1	https://github.com/hedgedoc/hedgedoc/releases/tag/1.7.1
2	Merge pull request from GHSA-g6w6-7xf9-m95p	https://github.com/hedgedoc/hedgedoc/commit/58276ebbf4504a682454a3686dcaff88bc1069d4
3	Stored XSS in mermaid diagrams	https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-g6w6-7xf9-m95p

Change Log

No	Changed Details	Date of change
1	[2021年09月03日] 掲載	Sept. 3, 2021, 4:21 p.m.