Login Sign Up

CVE-2021-39175

8.1 HIGH
Cross-Site Scripting

📋 TL;DR

CVE-2021-39175 is a cross-site scripting (XSS) vulnerability in HedgeDoc that allows unauthenticated attackers to inject malicious JavaScript into slide-mode speaker notes. This affects all HedgeDoc instances running versions before 1.9.0, potentially compromising user sessions and data.

💻 Affected Systems

Products:
  • HedgeDoc
Versions: All versions prior to 1.9.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: All deployments with slide-mode feature enabled are vulnerable. The vulnerability requires either embedding malicious iframes in slides or embedding the HedgeDoc instance in another page.

📦 What is this software?

Hedgedoc by Hedgedoc

View all CVEs affecting Hedgedoc →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, redirect users to malicious sites, perform actions on behalf of users, or install malware through drive-by downloads.

🟠

Likely Case

Session hijacking, credential theft, and unauthorized actions within the HedgeDoc instance.

🟢

If Mitigated

Limited impact with proper content security policies and network segmentation, but XSS could still affect users within the application.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation is straightforward via iframe embedding or page embedding techniques. Public proof-of-concept exists in the advisory references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.9.0

Vendor Advisory: https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-j748-779h-9697

Restart Required: Yes

Instructions:

1. Backup your HedgeDoc instance and database. 2. Update to HedgeDoc version 1.9.0 or later. 3. Restart the HedgeDoc service. 4. Verify the update was successful.

🔧 Temporary Workarounds

Disable slide-mode feature

all

Temporarily disable the slide-mode feature to prevent exploitation via speaker notes.

Modify HedgeDoc configuration to disable slide-mode (specific commands depend on deployment method)

🧯 If You Can't Patch

  • Implement strict Content Security Policy (CSP) headers to restrict script execution
  • Use network segmentation to isolate HedgeDoc instances and limit attack surface

🔍 How to Verify

Check if Vulnerable:

Check HedgeDoc version - if below 1.9.0, the system is vulnerable.

Check Version:

Check HedgeDoc web interface footer or run appropriate version command for your deployment method

Verify Fix Applied:

Confirm HedgeDoc version is 1.9.0 or higher and test slide-mode functionality.

📡 Detection & Monitoring

Log Indicators:

  • Unusual iframe embedding patterns in slide content
  • Multiple failed attempts to access slide-mode features

Network Indicators:

  • Suspicious external script loading in slide-mode requests
  • Unusual cross-origin requests from HedgeDoc

SIEM Query:

Search for HedgeDoc logs containing 'slide-mode' or 'speaker-notes' with suspicious script tags or iframe references

📊 Metadata

CVE ID: CVE-2021-39175
CVSS v3 Score: 8.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
CWE: CWE-74
Published: August 30, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-39175, you might also want to check these:

CVE-2026-25520 10.0

SandboxJS versions before 0.8.29 have a critical sandbox escape vulnerability that allows attackers ...

Same vulnerability type (CWE-74)
CVE-2026-25586 10.0

This CVE describes a sandbox escape vulnerability in SandboxJS library versions before 0.8.29. Attac...

Same vulnerability type (CWE-74)
CVE-2025-20281 10.0

An unauthenticated remote code execution vulnerability in Cisco ISE and ISE-PIC API allows attackers...

Same vulnerability type (CWE-74)