CVE-2023-38487

Summary

CVE-2023-38487 is a vulnerability affecting HedgeDoc's real-time collaborative markdown notes software prior to version 1.9.9. The API of HedgeDoc 1 allows the creation of new notes with an alias identical to the ID of existing notes, causing the original note to become hidden. This issue can be exploited by users with appropriate permissions, even if they are not logged in, by making a POST request to the `/new/<ALIAS>` API endpoint. The vulnerability could result in the presentation of manipulated copies of the original note or denial of service by preventing access to it. The impact can be mitigated by disabling freeURL mode or restricting freeURL note creation to trusted, logged-in users. The issue was resolved in version 1.9.9.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.