Main Vulnerability Database SB2025021482

SB2025021482 - Improper Validation of Syntactic Correctness of Input in HedgeDoc

Published: February 14, 2025 Updated: April 25, 2026

Security Bulletin ID SB2025021482

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Improper Validation of Syntactic Correctness of Input (CVE-ID: N/A)

The vulnerability allows a remote user to gain ownership access to other users' notes.

The vulnerability exists due to improper validation of syntactic correctness of input in the SAML authentication user mapping logic when processing SAML logins with a NameID format that relies on a missing or improperly mapped attribute. A remote user can authenticate via SAML under this misconfiguration to gain ownership access to other users' notes.

Exploitation requires SAML authentication to be in use and a configuration where the IdP does not return the attribute required by the configured NameID format or the corresponding property mapping is not properly configured.

Remediation

Install update from vendor's website.

References

https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-gw77-7r3c-4cm3