Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-mrqx-mjc4-vfh3: wallabag subject to Improper Authorization via annotations

Impact

The annotations feature lets users add annotations on highlighted parts of an entry.

The controller does not validate authorization on PUT and DELETE requests which lets a logged user modify or delete any annotation using their ID on their endpoints example.org/annotations/{id}.

These vulnerable requests also disclose highlighted parts of the entry to the attacker.

You should immediately patch your instance to version 2.5.3 or higher if you have more than one user and/or having open registration.

Resolution

A user check is now done in the vulnerable methods before applying change on an annotation.

The Annotation retrieval through a ParamConverter has also been replaced with a call to the AnnotationRepository in order to prevent any information disclosure through response discrepancy.

Workarounds

Credits

We would like to thank @bAuh0lz for reporting this issue through huntr.dev.

Reference: https://huntr.dev/bounties/8fdd9b31-d89b-4bbe-9557-20b960faf926/

ghsa
Open in Source
#auth

Impact

The annotations feature lets users add annotations on highlighted parts of an entry.

The controller does not validate authorization on PUT and DELETE requests which lets a logged user modify or delete any annotation using their ID on their endpoints example.org/annotations/{id}.

These vulnerable requests also disclose highlighted parts of the entry to the attacker.

You should immediately patch your instance to version 2.5.3 or higher if you have more than one user and/or having open registration.

Resolution

A user check is now done in the vulnerable methods before applying change on an annotation.

The Annotation retrieval through a ParamConverter has also been replaced with a call to the AnnotationRepository in order to prevent any information disclosure through response discrepancy.

Workarounds****Credits

We would like to thank @bAuh0lz for reporting this issue through huntr.dev.

Reference: https://huntr.dev/bounties/8fdd9b31-d89b-4bbe-9557-20b960faf926/

References

  • GHSA-mrqx-mjc4-vfh3
  • https://nvd.nist.gov/vuln/detail/CVE-2023-0610
  • wallabag/wallabag@5ac6b6b
  • https://huntr.dev/bounties/8fdd9b31-d89b-4bbe-9557-20b960faf926

Related news

CVE-2023-0610: Merge pull request from GHSA-mrqx-mjc4-vfh3 · wallabag/wallabag@5ac6b6b

Improper Authorization in GitHub repository wallabag/wallabag prior to 2.5.3.

ghsa: Latest News

GHSA-7m27-7ghc-44w9: Next.js Allows a Denial of Service (DoS) with Server Actions
ghsa