admin/cvelist
1
0
Fork 0
mirror of https://github.com/CVEProject/cvelist.git synced 2025-08-04 08:44:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

Auto-merge PR#642

Browse Source 
Auto-merge PR#642
This commit is contained in:
CVE Team 2021-01-22 12:10:24 -05:00 committed by GitHub
commit e521621940
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 81 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

87
2021/21xxx/CVE-2021-21259.json
View File

@ -1,18 +1,93 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-21259",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"STATE": "PUBLIC",
"TITLE": "Stored XSS in slide mode"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "hedgedoc",
"version": {
"version_data": [
{
"version_value": "< 1.7.2"
}
]
}
}
]
},
"vendor_name": "hedgedoc"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "HedgeDoc is open source software which lets you create real-time collaborative markdown notes. In HedgeDoc before version 1.7.2, an attacker can inject arbitrary JavaScript into a HedgeDoc note, which is executed when the note is viewed in slide mode.\n\nDepending on the configuration of the instance, the attacker may not need authentication to create or edit notes.\n\nThe problem is patched in HedgeDoc 1.7.2.\n\n### Workarounds\nDisallow loading JavaScript from 3rd party sites using the `Content-Security-Policy` header. Note that this will break some embedded content.\n\n### References\nThis issue was discovered by @TobiasHoll and reported to hackmdio/codimd: https://github.com/hackmdio/codimd/issues/1648\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an topic on our community forum\n* Join our matrix room"
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-44w9-vm8p-3cxw",
"refsource": "CONFIRM",
"url": "https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-44w9-vm8p-3cxw"
},
{
"name": "https://github.com/hedgedoc/hedgedoc/releases/tag/1.7.2",
"refsource": "MISC",
"url": "https://github.com/hedgedoc/hedgedoc/releases/tag/1.7.2"
},
{
"name": "https://github.com/hedgedoc/hedgedoc/commit/35b0d39a12aa35f27fba8c1f50b1886706e7efef",
"refsource": "MISC",
"url": "https://github.com/hedgedoc/hedgedoc/commit/35b0d39a12aa35f27fba8c1f50b1886706e7efef"
}
]
},
"source": {
"advisory": "GHSA-44w9-vm8p-3cxw",
"discovery": "UNKNOWN"
}
}