IDOR allowing to see other users' entries in wallabag/wallabag
Jan 4th 2023
The exporting entry functionality is vulnerable to an IDOR attack.
Proof of Concept
- Create a new entry as an existing user. Let's say the entry's id is 1.
- Create a new user and login as them.
- Go to
An attacker can see other users' entries.
Kevin Decherf validated this vulnerability 4 months ago
bAu has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
commented 4 months ago
Vulnerability published on GitHub: https://github.com/wallabag/wallabag/security/advisories/GHSA-qwx8-mxxx-mg96 Fix released in 2.5.3: https://github.com/wallabag/wallabag/releases/tag/2.5.3
Kevin Decherf marked this as fixed in 2.5.3 with commit 0f7460 4 months ago
This vulnerability has been assigned a CVE
A wallabag/wallabag maintainer gave praise 4 months ago
Thank you @bauh0lz!
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
to join this conversation