CVE-2020-26286

Name of the Vulnerable Software and Affected Versions HedgeDoc versions prior to 1.7.1

Description The issue allows an unauthenticated attacker to upload arbitrary files, including HTML, JS, and PHP files, to the upload storage backend. This can lead to potential security risks as uploaded files might still be served. It is recommended to verify that the uploaded file storage only contains allowed files.

Recommendations For versions prior to 1.7.1, update to version 1.7.1 to resolve the issue. As a temporary workaround, consider blocking the "/uploadimage" endpoint on your instance using your reverse proxy. Restrict MIME-types and file names served from your upload file storage to minimize the risk of exploitation.