CVE-2024-38354

CodiMD allows realtime collaborative markdown notes on all platforms. The notebook feature of Hackmd.io permits the rendering of iframe `HTML` tags with an improperly sanitized `name` attribute. This vulnerability enables attackers to perform cross-site scripting (XSS) attacks via DOM clobbering. This vulnerability is fixed in 2.5.4.
Configurations

Configuration 1 (hide)

cpe:2.3:a:hackmd:codimd:*:*:*:*:*:*:*:*

History

21 Nov 2024, 09:25

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 6.1
v2 : unknown
v3 : 8.1
References () https://github.com/hackmdio/codimd/security/advisories/GHSA-22jv-vch8-2vp9 - Exploit, Vendor Advisory () https://github.com/hackmdio/codimd/security/advisories/GHSA-22jv-vch8-2vp9 - Exploit, Vendor Advisory

03 Sep 2024, 21:57

Type Values Removed Values Added
First Time Hackmd
Hackmd codimd
References () https://github.com/hackmdio/codimd/security/advisories/GHSA-22jv-vch8-2vp9 - () https://github.com/hackmdio/codimd/security/advisories/GHSA-22jv-vch8-2vp9 - Exploit, Vendor Advisory
CPE cpe:2.3:a:hackmd:codimd:*:*:*:*:*:*:*:*
CVSS v2 : unknown
v3 : 8.1
v2 : unknown
v3 : 6.1

11 Jul 2024, 13:05

Type Values Removed Values Added
Summary
  • (es) CodiMD permite notas de markdown colaborativas en tiempo real en todas las plataformas. La función de cuaderno de Hackmd.io permite la representación de etiquetas "HTML" de iframe con un atributo "name" incorrectamente sanitizado. Esta vulnerabilidad permite a los atacantes realizar ataques de cross-site scripting (XSS) mediante destrucción de DOM. Esta vulnerabilidad se solucionó en 2.5.4.

10 Jul 2024, 20:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-07-10 20:15

Updated : 2024-11-21 09:25


NVD link : CVE-2024-38354

Mitre link : CVE-2024-38354

CVE.ORG link : CVE-2024-38354


JSON object : View

Products Affected

hackmd

  • codimd
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')