CVE-2021-39175
8.1 HIGHHedgeDoc is a platform to write and share markdown
Published: 2021-08-30 · Last updated: 2026-06-17
Severity and scoring
- CVSS
- 8.1 HIGH
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
- CWE
- CWE-346, CWE-74, CWE-79
Affected products
| Vendor | Product |
|---|---|
| hedgedoc | hedgedoc |
Description
HedgeDoc is a platform to write and share markdown. In versions prior to 1.9.0, an unauthenticated attacker can inject arbitrary JavaScript into the speaker-notes of the slide-mode feature by embedding an iframe hosting the malicious code into the slides or by embedding the HedgeDoc instance into another page. The problem is patched in version 1.9.0. There are no known workarounds aside from upgrading.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2021-39175
- [Patch]https://github.com/hedgedoc/hedgedoc/pull/1369
- [Patch]https://github.com/hedgedoc/hedgedoc/pull/1375
- [Patch]https://github.com/hedgedoc/hedgedoc/pull/1513
- [Patch]https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-j748-779h-9697
- [Patch]https://github.com/hedgedoc/hedgedoc/pull/1369
- [Patch]https://github.com/hedgedoc/hedgedoc/pull/1375
- [Patch]https://github.com/hedgedoc/hedgedoc/pull/1513
- [Patch]https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-j748-779h-9697
Related CVEs
Same CWE
- CVE-2026-12425 — Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in PowerSchool Employee Access ...
- CVE-2024-30476 — PowerStore contains a Stored Cross-Site Scripting Vulnerability in the PowerStore Manager (5.4 MEDIUM)
- CVE-2026-12304 — Same-origin policy bypass in the Networking: Cookies component (9.1 CRITICAL)
- CVE-2026-54198 — Unauthenticated Cross Site Scripting (XSS) in Media LIbrary Assistant <= 3.35 versions (7.1 HIGH)
- CVE-2026-54191 — Unauthenticated Cross Site Scripting (XSS) in Pods <= 3.3.8 versions (7.1 HIGH)