Headline
GHSA-56fm-hfp3-x3w3: Wallabag user can disable 2FA unintentionally
Impact
wallabag was discovered to contain a Cross-Site Request Forgery (CSRF) which allows attackers to arbitrarily disable 2FA through /config/otp/app/disable and /config/otp/email/disable.
This vulnerability has a CVSSv3.1 score of 4.3.
You should upgrade your instance to version 2.6.7 or higher.
Resolution
These endpoints now require POST method.
Credits
We would like to thank @dhina016 for reporting this issue through huntr.dev.
Reference: https://huntr.dev/bounties/4c446fe7-2a44-4907-b0cf-4ab77d75c487/
Package
composer wallabag/wallabag (Composer)
Affected versions
>= 2.0.0-alpha.1, < 2.6.7
Patched versions
2.6.7
Description
Impact
wallabag was discovered to contain a Cross-Site Request Forgery (CSRF) which allows attackers to arbitrarily disable 2FA through /config/otp/app/disable and /config/otp/email/disable.
This vulnerability has a CVSSv3.1 score of 4.3.
You should upgrade your instance to version 2.6.7 or higher.
Resolution
These endpoints now require POST method.
Credits
We would like to thank @dhina016 for reporting this issue through huntr.dev.
Reference: https://huntr.dev/bounties/4c446fe7-2a44-4907-b0cf-4ab77d75c487/
References
- GHSA-56fm-hfp3-x3w3
- wallabag/wallabag@0cfdddc
- https://huntr.dev/bounties/4c446fe7-2a44-4907-b0cf-4ab77d75c487/
j0k3r published to wallabag/wallabag
Oct 2, 2023
Published to the GitHub Advisory Database
Oct 2, 2023
Reviewed
Oct 2, 2023
Last updated
Oct 2, 2023