Improper Validation of Unsafe Equivalence in Input in HedgeDoc - CVE-2024-45308
Published: September 1, 2024 / Updated: April 25, 2026
Vulnerability identifier: #VU127919
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2024-45308
CWE-ID: CWE-1289
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: HedgeDoc
Affected software:
HedgeDoc
HedgeDoc
Detailed vulnerability description
The vulnerability allows a remote attacker to modify note content presented to users and cause a denial of service.
The vulnerability exists due to improper validation of unsafe equivalence in input in note alias handling when creating notes with arbitrary aliases in free URL mode on MySQL or MariaDB. A remote attacker can create a note with an alias matching the lower-cased ID of an existing note to modify note content presented to users and cause a denial of service.
Only instances using MySQL or MariaDB with the free URL feature enabled are vulnerable, and exploitation requires knowledge of the target note ID.
How to mitigate CVE-2024-45308
Install security update from vendor's website.