CVE-2024-45308

Name of the Vulnerable Software and Affected Versions HedgeDoc versions prior to 1.10.0

Description HedgeDoc is an open source, real-time, collaborative, markdown notes application. When using HedgeDoc with MySQL or MariaDB, it is possible to create notes with an alias matching the ID of existing notes, effectively hiding the original note. The issue can be exploited by logged-in users or all users, depending on the permission settings, and requires knowledge of the target note's ID. Attackers can use this issue to present a manipulated copy of the original note or prevent access to it, causing a denial of service. No data is lost, as the original content remains in the database.

Recommendations To resolve the issue, upgrade to version 1.10.0. If unable to upgrade, disable freeURL mode to prevent exploitation. Alternatively, restrict freeURL note creation to trusted, logged-in users by enabling requireFreeURLAuthentication/CMD REQUIRE FREEURL AUTHENTICATION.