This issue has been reported to HackMD and has been patched on hackmd.io.
Root Cause
It doesn't check data-videoid attribute at all, and directly concat it into the JSONP URL. In this way we can load arbitrary file under https://vimeo.com as JavaScript, which might cause XSS.
Root Cause
It doesn't check
data-videoid
attribute at all, and directly concat it into the JSONP URL. In this way we can load arbitrary file underhttps://vimeo.com
as JavaScript, which might cause XSS.https://github.com/hackmdio/codimd/blob/e7a5ea813ab684f5c9569dcee3423dd9c442b9bd/public/js/extra.js#L318-L329
PoC
Step 1. Create a note with content
alert(document.domain);
, andStep 2. Create a note with the following content:
Step 3. View it and trigger the XSS!
Technical Detail (Chinese): https://blog.splitline.tw/hackmd-xss/