CVSS: 5.8EPSS: 0%CPEs: 1EXPL: 1CVE-2021-29474 – Relative Path Traversal Attack on note creation
https://notcve.org/view.php?id=CVE-2021-29474
HedgeDoc (formerly known as CodiMD) is an open-source collaborative markdown editor. An attacker can read arbitrary `.md` files from the server's filesystem due to an improper input validation, which results in the ability to perform a relative path traversal. To verify if you are affected, you can try to open the following URL: `http://localhost:3000/..%2F..%2FREADME#` (replace `http://localhost:3000` with your instance's base-URL e.g. `https://demo.hedgedoc.org/..%2F..%2FREADME#`). If you see a README page being rendered, you run an affected version. • https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-p528-555r-pf87 • CWE-20: Improper Input Validation CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2021-29475 – PDF export allows arbitrary file reads
https://notcve.org/view.php?id=CVE-2021-29475
HedgeDoc (formerly known as CodiMD) is an open-source collaborative markdown editor. An attacker is able to receive arbitrary files from the file system when exporting a note to PDF. Since the code injection has to take place as note content, there fore this exploit requires the attackers ability to modify a note. This will affect all instances, which have pdf export enabled. This issue has been fixed by https://github.com/hedgedoc/hedgedoc/commit/c1789474020a6d668d616464cb2da5e90e123f65 and is available in version 1.5.0. • https://github.com/hedgedoc/hedgedoc/commit/c1789474020a6d668d616464cb2da5e90e123f65 https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-pxxg-px9v-6qf3 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 7.4EPSS: 0%CPEs: 1EXPL: 1CVE-2021-21259 – Stored XSS in slide mode
https://notcve.org/view.php?id=CVE-2021-21259
HedgeDoc is open source software which lets you create real-time collaborative markdown notes. In HedgeDoc before version 1.7.2, an attacker can inject arbitrary JavaScript into a HedgeDoc note, which is executed when the note is viewed in slide mode. Depending on the configuration of the instance, the attacker may not need authentication to create or edit notes. The problem is patched in HedgeDoc 1.7.2. As a workaround, disallow loading JavaScript from 3rd party sites using the `Content-Security-Policy` header. • https://github.com/hackmdio/codimd/issues/1648 https://github.com/hedgedoc/hedgedoc/commit/35b0d39a12aa35f27fba8c1f50b1886706e7efef https://github.com/hedgedoc/hedgedoc/releases/tag/1.7.2 https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-44w9-vm8p-3cxw • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.7EPSS: 0%CPEs: 1EXPL: 1CVE-2020-26287 – Stored XSS in mermaid diagrams
https://notcve.org/view.php?id=CVE-2020-26287
HedgeDoc is a collaborative platform for writing and sharing markdown. In HedgeDoc before version 1.7.1 an attacker can inject arbitrary `script` tags in HedgeDoc notes using mermaid diagrams. Our content security policy prevents loading scripts from most locations, but `www.google-analytics.com` is allowed. Using Google Tag Manger it is possible to inject arbitrary JavaScript and execute it on page load. Depending on the configuration of the instance, the attacker may not need authentication to create or edit notes. • https://github.com/Alemmi/ctf-writeups/blob/main/hxpctf-2020/hackme/solution.md https://github.com/hackmdio/codimd/issues/1630 https://github.com/hedgedoc/hedgedoc/commit/58276ebbf4504a682454a3686dcaff88bc1069d4 https://github.com/hedgedoc/hedgedoc/releases/tag/1.7.1 https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-g6w6-7xf9-m95p • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2020-26286 – Arbitary file upload
https://notcve.org/view.php?id=CVE-2020-26286
HedgeDoc is a collaborative platform for writing and sharing markdown. In HedgeDoc before version 1.7.1 an unauthenticated attacker can upload arbitrary files to the upload storage backend including HTML, JS and PHP files. The problem is patched in HedgeDoc 1.7.1. You should however verify that your uploaded file storage only contains files that are allowed, as uploaded files might still be served. As workaround it's possible to block the `/uploadimage` endpoint on your instance using your reverse proxy. • https://github.com/hedgedoc/hedgedoc/commit/e9306991cdb5ff2752c1eeba3fedba42aec3c2d8 https://github.com/hedgedoc/hedgedoc/releases/tag/1.7.1 https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-wcr3-xhv7-8gxc • CWE-434: Unrestricted Upload of File with Dangerous Type •