Main Vulnerability Database Vulnerabilities #VU127920

Information Exposure Through an Error Message in HedgeDoc - #VU127920

Published: February 2, 2025 / Updated: April 25, 2026

Vulnerability identifier: #VU127920

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: N/A

CWE-ID: CWE-209

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: HedgeDoc

Affected software:
HedgeDoc

Detailed vulnerability description

The vulnerability allows a remote attacker to disclose whether an email address is registered.

The vulnerability exists due to generation of error messages containing sensitive information in the registration endpoint when handling registration requests. A remote attacker can submit a registration attempt with a chosen email address to disclose whether an email address is registered.

Only instances with the local account system enabled are vulnerable, and registration must also be enabled.

Remediation

Install security update from vendor's website.

Sources

https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-6w39-x2c6-6mpf

Information Exposure Through an Error Message in HedgeDoc - #VU127920

Detailed vulnerability description

Remediation

Sources

Please verify you're human