IDOR allowing to see other users' entries in wallabag/wallabag

Valid

Reported on

Jan 4th 2023

Description

The exporting entry functionality is vulnerable to an IDOR attack.

Proof of Concept

Create a new entry as an existing user. Let's say the entry's id is 1.
Create a new user and login as them.
Go to http://localhost:8000/export/1.txt.

Impact

An attacker can see other users' entries.

We are processing your report and will contact the wallabag team within 24 hours. 5 months ago

We have contacted a member of the wallabag team and are waiting to hear back 5 months ago

Kevin Decherf validated this vulnerability 4 months ago

bAu has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Kevin Decherf

commented 4 months ago

Maintainer

Vulnerability published on GitHub: https://github.com/wallabag/wallabag/security/advisories/GHSA-qwx8-mxxx-mg96 Fix released in 2.5.3: https://github.com/wallabag/wallabag/releases/tag/2.5.3

Kevin Decherf marked this as fixed in 2.5.3 with commit 0f7460 4 months ago

Kevin Decherf has been awarded the fix bounty

This vulnerability has been assigned a CVE

Kevin Decherf published this vulnerability 4 months ago

A wallabag/wallabag maintainer gave praise 4 months ago

Thank you @bauh0lz!

The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1

to join this conversation