CVE-2020-26286

Source
https://nvd.nist.gov/vuln/detail/CVE-2020-26286
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-26286.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2020-26286
Related
  • GHSA-wcr3-xhv7-8gxc
Published
2020-12-29T00:15:12Z
Modified
2025-01-15T01:45:11.231806Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Summary
[none]
Details

HedgeDoc is a collaborative platform for writing and sharing markdown. In HedgeDoc before version 1.7.1 an unauthenticated attacker can upload arbitrary files to the upload storage backend including HTML, JS and PHP files. The problem is patched in HedgeDoc 1.7.1. You should however verify that your uploaded file storage only contains files that are allowed, as uploaded files might still be served. As workaround it's possible to block the /uploadimage endpoint on your instance using your reverse proxy. And/or restrict MIME-types and file names served from your upload file storage.

References

Affected packages

Git / github.com/hedgedoc/hedgedoc

Affected ranges

Type
GIT
Repo
https://github.com/hedgedoc/hedgedoc
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed

Affected versions

0.*

0.4.0
0.4.1
0.4.2
0.4.3
0.4.4
0.4.5
0.4.6
0.5.0

1.*

1.0.0-ce
1.0.1-ce
1.1.0-ce
1.1.1-ce
1.2.0
1.2.1
1.3.0
1.3.1
1.3.2
1.4.0
1.5.0
1.6.0
1.7.0
1.7.0-rc1
1.7.0-rc2

v0.*

v0.3.3
v0.3.4