Main Vulnerability Database SB2024090101

SB2024090101 - Improper Validation of Unsafe Equivalence in Input in HedgeDoc

Published: September 1, 2024 Updated: April 25, 2026

Security Bulletin ID SB2024090101

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Improper Validation of Unsafe Equivalence in Input (CVE-ID: CVE-2024-45308)

The vulnerability allows a remote attacker to modify note content presented to users and cause a denial of service.

The vulnerability exists due to improper validation of unsafe equivalence in input in note alias handling when creating notes with arbitrary aliases in free URL mode on MySQL or MariaDB. A remote attacker can create a note with an alias matching the lower-cased ID of an existing note to modify note content presented to users and cause a denial of service.

Only instances using MySQL or MariaDB with the free URL feature enabled are vulnerable, and exploitation requires knowledge of the target note ID.

Remediation

Install update from vendor's website.

References

https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-pjf2-269h-cx7p