cnvd - cnvd-2021-08894

CNVD-2021-08894

Vulnerability from cnvd - Published: 2021-02-03

Title

Hedgedoc跨站脚本漏洞

Description

Hedgedoc是Hedgedoc团队的一个基于Javascript的Markdown文档实时编辑分享平台。 HedgeDoc 1.7.1之前版本存在安全漏洞，攻击者可利用该漏洞可以在HedgeDoc notes中注入任意的“脚本”标签。我们的内容安全策略禁止从大多数位置加载脚本，但“www.google-analytics.com”是允许的。使用谷歌标签管理器可以注入任意JavaScript并在页面加载时执行它。

Severity

中

Patch Name

Hedgedoc跨站脚本漏洞的补丁

Patch Description

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接：https://github.com/hedgedoc/hedgedoc/commit/58276ebbf4504a682454a3686dcaff88bc1069d4

Reference

https://nvd.nist.gov/vuln/detail/CVE-2020-26287

Impacted products

Name
Hedgedoc HedgeDoc <1.7.1

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2020-26287",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2020-26287"
    }
  },
  "description": "Hedgedoc\u662fHedgedoc\u56e2\u961f\u7684\u4e00\u4e2a\u57fa\u4e8eJavascript\u7684Markdown\u6587\u6863\u5b9e\u65f6\u7f16\u8f91\u5206\u4eab\u5e73\u53f0\u3002\n\nHedgeDoc 1.7.1\u4e4b\u524d\u7248\u672c\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u53ef\u4ee5\u5728HedgeDoc notes\u4e2d\u6ce8\u5165\u4efb\u610f\u7684\u201c\u811a\u672c\u201d\u6807\u7b7e\u3002\u6211\u4eec\u7684\u5185\u5bb9\u5b89\u5168\u7b56\u7565\u7981\u6b62\u4ece\u5927\u591a\u6570\u4f4d\u7f6e\u52a0\u8f7d\u811a\u672c\uff0c\u4f46\u201cwww.google-analytics.com\u201d\u662f\u5141\u8bb8\u7684\u3002\u4f7f\u7528\u8c37\u6b4c\u6807\u7b7e\u7ba1\u7406\u5668\u53ef\u4ee5\u6ce8\u5165\u4efb\u610fJavaScript\u5e76\u5728\u9875\u9762\u52a0\u8f7d\u65f6\u6267\u884c\u5b83\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1ahttps://github.com/hedgedoc/hedgedoc/commit/58276ebbf4504a682454a3686dcaff88bc1069d4",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2021-08894",
  "openTime": "2021-02-03",
  "patchDescription": "Hedgedoc\u662fHedgedoc\u56e2\u961f\u7684\u4e00\u4e2a\u57fa\u4e8eJavascript\u7684Markdown\u6587\u6863\u5b9e\u65f6\u7f16\u8f91\u5206\u4eab\u5e73\u53f0\u3002\r\n\r\nHedgeDoc 1.7.1\u4e4b\u524d\u7248\u672c\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u53ef\u4ee5\u5728HedgeDoc notes\u4e2d\u6ce8\u5165\u4efb\u610f\u7684\u201c\u811a\u672c\u201d\u6807\u7b7e\u3002\u6211\u4eec\u7684\u5185\u5bb9\u5b89\u5168\u7b56\u7565\u7981\u6b62\u4ece\u5927\u591a\u6570\u4f4d\u7f6e\u52a0\u8f7d\u811a\u672c\uff0c\u4f46\u201cwww.google-analytics.com\u201d\u662f\u5141\u8bb8\u7684\u3002\u4f7f\u7528\u8c37\u6b4c\u6807\u7b7e\u7ba1\u7406\u5668\u53ef\u4ee5\u6ce8\u5165\u4efb\u610fJavaScript\u5e76\u5728\u9875\u9762\u52a0\u8f7d\u65f6\u6267\u884c\u5b83\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Hedgedoc\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Hedgedoc HedgeDoc \u003c1.7.1"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2020-26287",
  "serverity": "\u4e2d",
  "submitTime": "2020-12-30",
  "title": "Hedgedoc\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e"
}

CVE-2020-26287 (GCVE-0-2020-26287)

Vulnerability from cvelistv5 – Published: 2020-12-28 23:30 – Updated: 2024-08-04 15:56

Title

Stored XSS in mermaid diagrams

Summary

HedgeDoc is a collaborative platform for writing and sharing markdown. In HedgeDoc before version 1.7.1 an attacker can inject arbitrary `script` tags in HedgeDoc notes using mermaid diagrams. Our content security policy prevents loading scripts from most locations, but `www.google-analytics.com` is allowed. Using Google Tag Manger it is possible to inject arbitrary JavaScript and execute it on page load. Depending on the configuration of the instance, the attacker may not need authentication to create or edit notes. The problem is patched in HedgeDoc 1.7.1. As a workaround one can disallow `www.google-analytics.com` in the `Content-Security-Policy` header. Note that other ways to leverage the `script` tag injection might exist.

Severity ?

8.7 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

CWE

CWE-79 - Cross-site Scripting (XSS)

Assigner

GitHub_M

References

URL

Tags

	https://github.com/hedgedoc/hedgedoc/releases/tag/1.7.1	x_refsource_MISC
	https://github.com/hedgedoc/hedgedoc/security/adv…	x_refsource_CONFIRM
	https://github.com/hackmdio/codimd/issues/1630	x_refsource_MISC
	https://github.com/Alemmi/ctf-writeups/blob/main/…	x_refsource_MISC
	https://github.com/hedgedoc/hedgedoc/commit/58276…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	hedgedoc	hedgedoc	Affected: < 1.7.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T15:56:03.991Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/hedgedoc/hedgedoc/releases/tag/1.7.1"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-g6w6-7xf9-m95p"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/hackmdio/codimd/issues/1630"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/Alemmi/ctf-writeups/blob/main/hxpctf-2020/hackme/solution.md"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/hedgedoc/hedgedoc/commit/58276ebbf4504a682454a3686dcaff88bc1069d4"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "hedgedoc",
          "vendor": "hedgedoc",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.7.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "HedgeDoc is a collaborative platform for writing and sharing markdown. In HedgeDoc before version 1.7.1 an attacker can inject arbitrary `script` tags in HedgeDoc notes using mermaid diagrams. Our content security policy prevents loading scripts from most locations, but `www.google-analytics.com` is allowed. Using Google Tag Manger it is possible to inject arbitrary JavaScript and execute it on page load. Depending on the configuration of the instance, the attacker may not need authentication to create or edit notes. The problem is patched in HedgeDoc 1.7.1. As a workaround one can disallow `www.google-analytics.com` in the `Content-Security-Policy` header. Note that other ways to leverage the `script` tag injection might exist."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79 Cross-site Scripting (XSS)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-12-28T23:30:17",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/hedgedoc/hedgedoc/releases/tag/1.7.1"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-g6w6-7xf9-m95p"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/hackmdio/codimd/issues/1630"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/Alemmi/ctf-writeups/blob/main/hxpctf-2020/hackme/solution.md"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/hedgedoc/hedgedoc/commit/58276ebbf4504a682454a3686dcaff88bc1069d4"
        }
      ],
      "source": {
        "advisory": "GHSA-g6w6-7xf9-m95p",
        "discovery": "UNKNOWN"
      },
      "title": "Stored XSS in mermaid diagrams",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2020-26287",
          "STATE": "PUBLIC",
          "TITLE": "Stored XSS in mermaid diagrams"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "hedgedoc",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003c 1.7.1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "hedgedoc"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "HedgeDoc is a collaborative platform for writing and sharing markdown. In HedgeDoc before version 1.7.1 an attacker can inject arbitrary `script` tags in HedgeDoc notes using mermaid diagrams. Our content security policy prevents loading scripts from most locations, but `www.google-analytics.com` is allowed. Using Google Tag Manger it is possible to inject arbitrary JavaScript and execute it on page load. Depending on the configuration of the instance, the attacker may not need authentication to create or edit notes. The problem is patched in HedgeDoc 1.7.1. As a workaround one can disallow `www.google-analytics.com` in the `Content-Security-Policy` header. Note that other ways to leverage the `script` tag injection might exist."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-79 Cross-site Scripting (XSS)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/hedgedoc/hedgedoc/releases/tag/1.7.1",
              "refsource": "MISC",
              "url": "https://github.com/hedgedoc/hedgedoc/releases/tag/1.7.1"
            },
            {
              "name": "https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-g6w6-7xf9-m95p",
              "refsource": "CONFIRM",
              "url": "https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-g6w6-7xf9-m95p"
            },
            {
              "name": "https://github.com/hackmdio/codimd/issues/1630",
              "refsource": "MISC",
              "url": "https://github.com/hackmdio/codimd/issues/1630"
            },
            {
              "name": "https://github.com/Alemmi/ctf-writeups/blob/main/hxpctf-2020/hackme/solution.md",
              "refsource": "MISC",
              "url": "https://github.com/Alemmi/ctf-writeups/blob/main/hxpctf-2020/hackme/solution.md"
            },
            {
              "name": "https://github.com/hedgedoc/hedgedoc/commit/58276ebbf4504a682454a3686dcaff88bc1069d4",
              "refsource": "MISC",
              "url": "https://github.com/hedgedoc/hedgedoc/commit/58276ebbf4504a682454a3686dcaff88bc1069d4"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-g6w6-7xf9-m95p",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2020-26287",
    "datePublished": "2020-12-28T23:30:17",
    "dateReserved": "2020-10-01T00:00:00",
    "dateUpdated": "2024-08-04T15:56:03.991Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2021-08894

CVE-2020-26287 (GCVE-0-2020-26287)

Tags

Sightings

Nomenclature