CVE-2020-26287 HIGH

CVE-2020-26287: Stored XSS in mermaid diagrams

Vendor Hedgedoc
Product hedgedoc
Weakness CWE-79 · XSS
Published December 28, 2020
Last update August 4, 2024
View on NVD All CVEs

CVSS base score

8.7/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

What the vulnerability does

01Description

HedgeDoc is a collaborative platform for writing and sharing markdown. In HedgeDoc before version 1.7.1 an attacker can inject arbitrary `script` tags in HedgeDoc notes using mermaid diagrams. Our content security policy prevents loading scripts from most locations, but `www.google-analytics.com` is allowed. Using Google Tag Manger it is possible to inject arbitrary JavaScript and execute it on page load. Depending on the configuration of the instance, the attacker may not need authentication to create or edit notes. The problem is patched in HedgeDoc 1.7.1. As a workaround one can disallow `www.google-analytics.com` in the `Content-Security-Policy` header. Note that other ways to leverage the `script` tag injection might exist.

Key dates

02Disclosure timeline

December 28, 2020 CVE published
August 4, 2024 Record updated

Related vulnerabilities

04Related CVE

CVE-2023-34412 Stored XXS vulnerability in mbnet, mbnet.rokey, REX 200 and REX 250 CVE-2023-2058 EyouCms HTTP POST Request cross site scripting CVE-2023-36689 WordPress WPFactory Helper Plugin <= 1.5.2 is vulnerable to Cross Site Scripting (XSS) CVE-2024-56022 WordPress Preloader by WordPress Monsters plugin <= 1.2.3 - Reflected Cross Site Scripting (XSS) vulnerability CVE-2025-5144 The Events Calendar <= 6.13.2 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting