GHSA-mrqx-mjc4-vfh3
Suggest an improvement- Source
- https://github.com/advisories/GHSA-mrqx-mjc4-vfh3
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-mrqx-mjc4-vfh3/GHSA-mrqx-mjc4-vfh3.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-mrqx-mjc4-vfh3
- Aliases
- Published
- 2023-02-02T19:26:47Z
- Modified
- 2024-12-07T05:38:52.391771Z
- Severity
-
- 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
- Summary
- wallabag subject to Improper Authorization via annotations
- Details
-
Impact
The annotations feature lets users add annotations on highlighted parts of an entry.
The controller does not validate authorization on
PUTandDELETErequests which lets a logged user modify or delete any annotation using their ID on their endpointsexample.org/annotations/{id}.These vulnerable requests also disclose highlighted parts of the entry to the attacker.
You should immediately patch your instance to version 2.5.3 or higher if you have more than one user and/or having open registration.
Resolution
A user check is now done in the vulnerable methods before applying change on an annotation.
The Annotation retrieval through a
ParamConverterhas also been replaced with a call to theAnnotationRepositoryin order to prevent any information disclosure through response discrepancy.Workarounds
Credits
We would like to thank @bAuh0lz for reporting this issue through huntr.dev.
Reference: https://huntr.dev/bounties/8fdd9b31-d89b-4bbe-9557-20b960faf926/
- Database specific
{ "nvd_published_at": null, "cwe_ids": [], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2023-02-02T19:26:47Z" }- References
-
- https://github.com/wallabag/wallabag/security/advisories/GHSA-mrqx-mjc4-vfh3
- https://nvd.nist.gov/vuln/detail/CVE-2023-0610
- https://github.com/wallabag/wallabag/commit/5ac6b6bff9e2e3a87fd88c2904ff3c6aac40722e
- https://github.com/wallabag/wallabag
- https://huntr.dev/bounties/8fdd9b31-d89b-4bbe-9557-20b960faf926
Affected packages
Packagist / wallabag/wallabag
Package
- Name
- wallabag/wallabag
- Purl
- pkg:composer/wallabag/wallabag