CVE-2021-39175
Published: 30 August 2021
Summary
CVE-2021-39175 is a high-severity Injection (CWE-74) vulnerability in Hedgedoc Hedgedoc. Its CVSS base score is 8.1 (High).
Operationally, ranked in the top 45.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-25572
Vulnerability details
HedgeDoc is a platform to write and share markdown. In versions prior to 1.9.0, an unauthenticated attacker can inject arbitrary JavaScript into the speaker-notes of the slide-mode feature by embedding an iframe hosting the malicious code into the slides or…
more
by embedding the HedgeDoc instance into another page. The problem is patched in version 1.9.0. There are no known workarounds aside from upgrading.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.
Requires unique identification of the service before communications, addressing failures to validate the origin of the interaction.
Developer assessments and testing (including injection-focused techniques) identify improper neutralization of special elements, and the verifiable flaw remediation corrects them pre-deployment.
Trusted path establishment enforces validation that the communication originates from and reaches only the intended trusted system components.
Enforces validation of the true origin of DNS responses via signatures and chain-of-trust mechanisms.
Enforces origin validation of name/address data, eliminating reliance on unverified or impersonated DNS sources.
Mandates origin validation so that only legitimate endpoints can continue the authenticated session.
Validates web inputs to reject script-related content that could produce XSS.