IDOR allowing to see other users' entries in wallabag/wallabag
Valid
Reported on
Jan 4th 2023
Description
The exporting entry functionality is vulnerable to an IDOR attack.
Proof of Concept
- Create a new entry as an existing user. Let's say the entry's id is 1.
- Create a new user and login as them.
- Go to
http://localhost:8000/export/1.txt
.
Impact
An attacker can see other users' entries.
We are processing your report and will contact the
wallabag
team within 24 hours.
5 months ago
We have contacted a member of the
wallabag
team and are waiting to hear back
5 months ago
The researcher's credibility has increased: +7
Vulnerability published on GitHub: https://github.com/wallabag/wallabag/security/advisories/GHSA-qwx8-mxxx-mg96 Fix released in 2.5.3: https://github.com/wallabag/wallabag/releases/tag/2.5.3
Thank you @bauh0lz!
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
to join this conversation