How severe is CVE-2025-32391?

This vulnerability has a severity rating of MEDIUM with a CVSS score of 6.4 out of 10.

What type of vulnerability is CVE-2025-32391?

This is classified as CWE-79, which is a common weakness in software security.

CVE-2025-32391 - MEDIUM Severity | CVSS 6.4

Vulnerability Description

HedgeDoc is an open source, real-time, collaborative, markdown notes application. Prior to 1.10.3, a malicious SVG file uploaded to HedgeDoc results in the possibility of XSS when opened in a new tab instead of the editor itself. The XSS is possible by exploiting the JSONP capabilities of GitHub Gist embeddings. Only instances with the local filesystem upload backend or special configurations, where the uploads are served from the same domain as HedgeDoc, are vulnerable. This vulnerability is fixed in 1.10.3. When upgrading to HedgeDoc 1.10.3 is not possible, instance owners could add the following headers for all routes under /uploads as a first-countermeasure: Content-Disposition: attachment and Content-Security-Policy: default-src 'none'. Additionally, the external URLs in the script-src attribute of the Content-Security-Policy header should be removed.

Related Vulnerabilities

CVE-2012-3341

MEDIUM

CVSS:6.4(Medium)

IBM InfoSphere Guardium 7.0, 8.0, 8.01, and 8.2 is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a ...

CWE-792012

CVE-2016-2138

MEDIUM

CVSS:6.4(Medium)

In kippo-graph before version 1.5.1, there is a cross-site scripting vulnerability in xss_clean() in class/KippoInput.class.php.

CWE-792016

CVE-2016-2139

MEDIUM

CVSS:6.4(Medium)

In kippo-graph before version 1.5.1, there is a cross-site scripting vulnerability in $file_link in class/KippoInput.class.php.

CWE-792016

CVE-2019-3769

MEDIUM

CVSS:6.4(Medium)

Dell Wyse Management Suite versions prior to 1.4.1 contain a stored cross-site scripting vulnerability. A remote authenticated malicious user with low privileges could exploit this vulnerability to st...

CWE-792019

CVE-2019-3770

MEDIUM

CVSS:6.4(Medium)

Dell Wyse Management Suite versions prior to 1.4.1 contain a stored cross-site scripting vulnerability when unregistering a device. A remote authenticated malicious user with low privileges could expl...

CWE-792019

CVE-2019-7004

MEDIUM

CVSS:6.4(Medium)

A Cross-Site Scripting (XSS) vulnerability in the WebUI component of IP Office Application Server could allow unauthorized code execution and potentially disclose sensitive information. All product ve...

CWE-792019