CVE-2021-39175: 
NixOS vulnerability analysis and mitigation

HedgeDoc, a platform to write and share markdown, was affected by a high severity vulnerability (CVE-2021-39175) in versions prior to 1.9.0. The vulnerability allowed an unauthenticated attacker to inject arbitrary JavaScript into the speaker-notes of the slide-mode feature by embedding an iframe hosting malicious code into the slides or by embedding the HedgeDoc instance into another page (GitHub Advisory).

The vulnerability was rated with a CVSS score of 8.1 (High) with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N. The attack vector was network-based, with low attack complexity, requiring no privileges but needing user interaction. The scope was unchanged, with high impact on confidentiality and integrity, but no impact on availability (GitHub Advisory).

The vulnerability could allow attackers to execute arbitrary JavaScript code in the context of the application, potentially leading to data theft, session hijacking, or other malicious actions through cross-site scripting (XSS) attacks (GitHub Advisory).

The vulnerability was patched in version 1.9.0 through several security improvements: removing the unsafe-inline content security policy, removing Google Analytics from the content security policy, and adding a configuration option to forbid other pages from embedding a HedgeDoc instance. No workarounds were available for older versions due to the extensive changes required in the frontend code and build infrastructure (GitHub Advisory).