HedgeDoc Content Security Policy Vulnerability in Uploads Endpoint Allowing SVG Exploitation

A vulnerability in HedgeDoc prior to version 1.10.6 allowed files served under the '/uploads/' endpoint to bypass strict security policies. This oversight resulted in an overly permissive Content-Security-Policy, enabling the hosting of malicious interactive web content, such as counterfeit login forms, through SVG files. The issue has been resolved in version 1.10.6 by reapplying the necessary security headers and enhancing the Content-Security-Policy to include sandboxing restrictions.

Impact

Exploitation of this vulnerability could lead to the injection of malicious SVG files that, due to the lax security headers, could be used to create fake login forms or similar interactive content, potentially deceiving users.

Remediation

Users can upgrade to HedgeDoc version 1.10.6, which addresses this vulnerability by correctly applying security headers to uploaded files. For those unable to upgrade, it is possible to manually add the appropriate headers using a reverse proxy for all paths that start with '/uploads/'.