| Severity |
|
| Remote |
|
| Type |
| - |
Unknown |
| + |
Cross-site scripting |
|
| Description |
| + |
In HedgeDoc versions prior to 1.9.0, an unauthenticated attacker can inject arbitrary JavaScript into the speaker-notes of the slide-mode feature by embedding an iframe hosting the malicious code into the slides or by embedding the HedgeDoc instance into another page. |
|
| References |
| + |
https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-j748-779h-9697 |
| + |
https://github.com/hedgedoc/hedgedoc/pull/1369 |
| + |
https://github.com/hedgedoc/hedgedoc/pull/1375 |
| + |
https://github.com/hedgedoc/hedgedoc/pull/1513 |
|
| Notes |
|