HedgeDoc Cross-Site Scripting Vulnerability via Malicious SVG Uploads

A cross-site scripting (XSS) vulnerability has been identified in HedgeDoc versions prior to 1.10.3. This issue arises when a malicious SVG file is uploaded and then opened in a new browser tab, rather than within the HedgeDoc editor. The vulnerability exploits the JSONP functionality of GitHub Gist embeddings. It affects instances using the local filesystem upload method or specific configurations that serve uploads from the same domain as HedgeDoc.

Impact

The vulnerability allows for cross-site scripting (XSS) attacks, where an attacker can inject and execute malicious scripts in the context of the user's browser.

Reproduction

To reproduce this vulnerability, upload an SVG file containing JavaScript into a HedgeDoc instance running a vulnerable version. Ensure that the upload is served from the same domain as the HedgeDoc instance. After uploading, open the file in a new tab. The injected script will execute, demonstrating the XSS vulnerability.

Remediation

Users can upgrade to HedgeDoc version 1.10.3 or later, where this vulnerability is fixed. If an immediate upgrade is not possible, instance owners can add specific headers to all routes under '/uploads' as a temporary measure. These headers should include 'Content-Disposition: attachment' and 'Content-Security-Policy: default-src 'none''. Additionally, remove external URLs from the 'script-src' directive of the Content-Security-Policy header.