CVE-2023-38487

Name of the Vulnerable Software and Affected Versions HedgeDoc versions prior to 1.9.9

Description HedgeDoc is software for creating real-time collaborative markdown notes. The issue allows attackers to create notes with an alias matching the ID of existing notes, effectively hiding the original note. When the freeURL feature is enabled, any user with the appropriate permissions can create a note by making a POST request to the "/new/" API endpoint. The <ALIAS> parameter can be set to the ID of an existing note. Depending on the permission settings, the issue can be exploited by logged-in users or all users. Attackers can use this issue to present a manipulated copy of the original note or prevent access to the original note, causing a denial of service. No data is lost, as the original content of the affected notes is still present in the database.

Recommendations For HedgeDoc versions prior to 1.9.9, update to version 1.9.9 to fix the issue. As a temporary workaround, consider disabling the freeURL mode to prevent exploitation of this issue. To limit the impact, restrict freeURL note creation to trusted, logged-in users by enabling requireFreeURLAuthentication or CMD REQUIRE FREEURL AUTHENTICATION.