CVE-2024-38354

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-38354

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-38354.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2024-38354

Aliases

GHSA-22jv-vch8-2vp9

Published

2024-07-10T19:49:55Z

Modified

2025-10-20T20:27:08.949834Z

Severity

8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N CVSS Calculator

Summary

Cross-site Scripting in Hackmd.io Notes lead by HTML Injection

Details

CodiMD allows realtime collaborative markdown notes on all platforms. The notebook feature of Hackmd.io permits the rendering of iframe HTML tags with an improperly sanitized name attribute. This vulnerability enables attackers to perform cross-site scripting (XSS) attacks via DOM clobbering. This vulnerability is fixed in 2.5.4.

Database specific

{
    "cwe_ids": [
        "CWE-79"
    ]
}

References

https://github.com/hackmdio/codimd/security/advisories/GHSA-22jv-vch8-2vp9

Affected packages

Git / github.com/hackmdio/codimd

Affected ranges

Type: GIT
Repo: https://github.com/hackmdio/codimd
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

da511d0b1661e1f496e700bda35dc2b127dd456e

Affected versions

0.*

0.4.0

0.4.1

0.4.2

0.4.3

0.4.4

0.4.5

0.4.6

0.5.0

1.*

1.0.0-ce

1.0.1-ce

1.1.0-ce

1.1.1-ce

1.2.0

1.2.1

1.3.0

1.3.1

1.4.0

1.4.0-rc.1

1.4.0-rc.2

1.4.1

1.4.1-rc.1

2.*

2.0.0

2.0.0-rc.1

2.0.1

2.0.1-rc.1

2.1.0

2.2.0

2.3.0

2.3.1

2.3.2

2.4.0

2.4.1

2.4.2

2.5.0

2.5.1

2.5.2

2.5.3

v0.*

v0.3.3

v0.3.4