Main Vulnerability Database Vulnerabilities #VU127919

#VU127919 Improper Validation of Unsafe Equivalence in Input in HedgeDoc - CVE-2024-45308

Published: September 1, 2024 / Updated: April 25, 2026

Vulnerability identifier: #VU127919

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2024-45308

CWE-ID: CWE-1289

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
HedgeDoc

Software vendor:
HedgeDoc

Description

The vulnerability allows a remote attacker to modify note content presented to users and cause a denial of service.

The vulnerability exists due to improper validation of unsafe equivalence in input in note alias handling when creating notes with arbitrary aliases in free URL mode on MySQL or MariaDB. A remote attacker can create a note with an alias matching the lower-cased ID of an existing note to modify note content presented to users and cause a denial of service.

Only instances using MySQL or MariaDB with the free URL feature enabled are vulnerable, and exploitation requires knowledge of the target note ID.

Remediation

Install security update from vendor's website.

External links

https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-pjf2-269h-cx7p

#VU127919 Improper Validation of Unsafe Equivalence in Input in HedgeDoc - CVE-2024-45308

Description

Remediation

External links

Please verify you're human