Hedgedoc
Monthly
HedgeDoc's GitHub Gist export feature exposes private and protected note content to attacker-controlled GitHub accounts via OAuth2 state parameter forgery. Versions prior to 1.11.0 generated an OAuth2 state token during the Gist export flow but validated only its presence - not its binding to the initiating user session - enabling a cross-site request forgery attack. An attacker who tricks a logged-in victim into clicking a crafted callback URL can redirect the victim's note export to the attacker's own GitHub Gist, bypassing any note visibility controls. No public exploit code or CISA KEV listing is identified at time of analysis, but a confirmed patch exists in version 1.11.0.
Denial of service in HedgeDoc before 1.11.0 lets a user who can store a note crash the instance by embedding a YAML "alias bomb" in the note frontmatter. Because HedgeDoc parsed frontmatter with the unsafe js-yaml v3 load (via @hedgedoc/meta-marked) and resolved anchor aliases, a compact ten-level payload expands into a massive object that blocks the single Node.js event loop for roughly 235 seconds on every request to the publish view (/s/<shortid>) or, under the opengraph key, the editor view (/<noteId>). No public exploit has been identified at time of analysis and the flaw is not in CISA KEV, but the stored payload persists in the database and re-triggers after process restarts, making outages durable until the note is deleted.
Stored HTML injection in HedgeDoc prior to 1.11.0 allows low-privileged, registered attackers to inject arbitrary HTML into publish views, slide views, and the collaborative editor by registering an email address with an RFC 5321 quoted-string local-part, which is then rendered as the display name without output encoding. Victims who view affected pages are exposed to content manipulation and attacker-controlled cross-origin iframe embedding; direct JavaScript execution is mitigated by the deployed Content-Security-Policy, but phishing, UI redressing, and resource injection remain viable. No public exploit code has been identified at time of analysis, and no KEV listing exists; the fix is available in version 1.11.0.
Rate-limiting bypass in HedgeDoc prior to 1.11.0 permits unauthenticated remote attackers to circumvent brute-force protections on the /login and /register endpoints by injecting arbitrary cf-connecting-ip headers, cycling apparent source IPs per request. This enables unlimited credential-stuffing attacks against login and bulk registration of throwaway accounts. No public exploit code identified at time of analysis; the issue is confirmed fixed in version 1.11.0 per the vendor's GitHub Security Advisory.
HedgeDoc prior to version 1.10.6 allows attackers to bypass content security policies on files served from the /uploads/ endpoint, enabling them to host malicious interactive content such as fake login forms via SVG files. This network-based attack requires user interaction but can lead to credential theft or social engineering attacks. A patch is available in version 1.10.6.
HedgeDoc is an open source, real-time, collaborative, markdown notes application. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
HedgeDoc is an open source, real-time, collaborative, markdown notes application. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.
HedgeDoc is software for creating real-time collaborative markdown notes. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
HedgeDoc is an open-source, web-based, self-hosted, collaborative markdown editor. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.
HedgeDoc is a platform to write and share markdown. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
HedgeDoc is a platform to write and share markdown. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
HedgeDoc (formerly known as CodiMD) is an open-source collaborative markdown editor. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
HedgeDoc (formerly known as CodiMD) is an open-source collaborative markdown editor. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.
HedgeDoc is open source software which lets you create real-time collaborative markdown notes. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
HedgeDoc is a collaborative platform for writing and sharing markdown. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
HedgeDoc is a collaborative platform for writing and sharing markdown. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.
HedgeDoc's GitHub Gist export feature exposes private and protected note content to attacker-controlled GitHub accounts via OAuth2 state parameter forgery. Versions prior to 1.11.0 generated an OAuth2 state token during the Gist export flow but validated only its presence - not its binding to the initiating user session - enabling a cross-site request forgery attack. An attacker who tricks a logged-in victim into clicking a crafted callback URL can redirect the victim's note export to the attacker's own GitHub Gist, bypassing any note visibility controls. No public exploit code or CISA KEV listing is identified at time of analysis, but a confirmed patch exists in version 1.11.0.
Denial of service in HedgeDoc before 1.11.0 lets a user who can store a note crash the instance by embedding a YAML "alias bomb" in the note frontmatter. Because HedgeDoc parsed frontmatter with the unsafe js-yaml v3 load (via @hedgedoc/meta-marked) and resolved anchor aliases, a compact ten-level payload expands into a massive object that blocks the single Node.js event loop for roughly 235 seconds on every request to the publish view (/s/<shortid>) or, under the opengraph key, the editor view (/<noteId>). No public exploit has been identified at time of analysis and the flaw is not in CISA KEV, but the stored payload persists in the database and re-triggers after process restarts, making outages durable until the note is deleted.
Stored HTML injection in HedgeDoc prior to 1.11.0 allows low-privileged, registered attackers to inject arbitrary HTML into publish views, slide views, and the collaborative editor by registering an email address with an RFC 5321 quoted-string local-part, which is then rendered as the display name without output encoding. Victims who view affected pages are exposed to content manipulation and attacker-controlled cross-origin iframe embedding; direct JavaScript execution is mitigated by the deployed Content-Security-Policy, but phishing, UI redressing, and resource injection remain viable. No public exploit code has been identified at time of analysis, and no KEV listing exists; the fix is available in version 1.11.0.
Rate-limiting bypass in HedgeDoc prior to 1.11.0 permits unauthenticated remote attackers to circumvent brute-force protections on the /login and /register endpoints by injecting arbitrary cf-connecting-ip headers, cycling apparent source IPs per request. This enables unlimited credential-stuffing attacks against login and bulk registration of throwaway accounts. No public exploit code identified at time of analysis; the issue is confirmed fixed in version 1.11.0 per the vendor's GitHub Security Advisory.
HedgeDoc prior to version 1.10.6 allows attackers to bypass content security policies on files served from the /uploads/ endpoint, enabling them to host malicious interactive content such as fake login forms via SVG files. This network-based attack requires user interaction but can lead to credential theft or social engineering attacks. A patch is available in version 1.10.6.
HedgeDoc is an open source, real-time, collaborative, markdown notes application. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
HedgeDoc is an open source, real-time, collaborative, markdown notes application. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.
HedgeDoc is software for creating real-time collaborative markdown notes. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
HedgeDoc is an open-source, web-based, self-hosted, collaborative markdown editor. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.
HedgeDoc is a platform to write and share markdown. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
HedgeDoc is a platform to write and share markdown. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
HedgeDoc (formerly known as CodiMD) is an open-source collaborative markdown editor. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
HedgeDoc (formerly known as CodiMD) is an open-source collaborative markdown editor. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.
HedgeDoc is open source software which lets you create real-time collaborative markdown notes. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
HedgeDoc is a collaborative platform for writing and sharing markdown. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
HedgeDoc is a collaborative platform for writing and sharing markdown. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.