Genygo

#19987of 53,630
13Total CVSS
Vulnerabilities · 2
Medium
2
PT-2024-31561
6.5
2024-09-02
Mariadb · Mariadb · CVE-2024-45308
**Name of the Vulnerable Software and Affected Versions** HedgeDoc versions prior to 1.10.0 **Description** HedgeDoc is an open source, real-time, collaborative, markdown notes application. When using HedgeDoc with MySQL or MariaDB, it is possible to create notes with an alias matching the ID of existing notes, effectively hiding the original note. The issue can be exploited by logged-in users or all users, depending on the permission settings, and requires knowledge of the target note's ID. Attackers can use this issue to present a manipulated copy of the original note or prevent access to it, causing a denial of service. No data is lost, as the original content remains in the database. **Recommendations** To resolve the issue, upgrade to version 1.10.0. If unable to upgrade, disable freeURL mode to prevent exploitation. Alternatively, restrict freeURL note creation to trusted, logged-in users by enabling `requireFreeURLAuthentication`/`CMD REQUIRE FREEURL AUTHENTICATION`.
PT-2023-26467
6.5
2023-08-04
Hedgedoc · Hedgedoc · CVE-2023-38487
**Name of the Vulnerable Software and Affected Versions** HedgeDoc versions prior to 1.9.9 **Description** HedgeDoc is software for creating real-time collaborative markdown notes. The issue allows attackers to create notes with an alias matching the ID of existing notes, effectively hiding the original note. When the freeURL feature is enabled, any user with the appropriate permissions can create a note by making a POST request to the "/new/<ALIAS>" API endpoint. The `<ALIAS>` parameter can be set to the ID of an existing note. Depending on the permission settings, the issue can be exploited by logged-in users or all users. Attackers can use this issue to present a manipulated copy of the original note or prevent access to the original note, causing a denial of service. No data is lost, as the original content of the affected notes is still present in the database. **Recommendations** For HedgeDoc versions prior to 1.9.9, update to version 1.9.9 to fix the issue. As a temporary workaround, consider disabling the freeURL mode to prevent exploitation of this issue. To limit the impact, restrict freeURL note creation to trusted, logged-in users by enabling `requireFreeURLAuthentication` or `CMD REQUIRE FREEURL AUTHENTICATION`.