CVE-2022-24837

Name of the Vulnerable Software and Affected Versions HedgeDoc versions 1.9.1 through 1.9.2

Description HedgeDoc is an open-source, web-based, self-hosted, collaborative markdown editor. Images uploaded with HedgeDoc have an enumerable filename after the upload, resulting in potential information leakage of uploaded documents. This is especially relevant for private notes and affects all upload backends, except Lutim and imgur.

Recommendations For HedgeDoc versions 1.9.1 and 1.9.2, upgrade to version 1.9.3 to patch the issue by replacing the filename generation with UUIDv4. As a temporary workaround for versions 1.9.1 and 1.9.2, consider blocking POST requests to "/uploadimage" to disable future uploads.