CVE-2020-26286
HedgeDoc prior to 1.7.1 allows unauthenticated arbitrary file uploads to the upload storage backend (HTML/JS/PHP). It is patched in 1.7.1. Verify that stored files are allowed, as uploaded files might still be served. Workarounds: block the /uploadimage endpoint via a reverse proxy and/or restric...