IDOR allowing to see other users' entries in wallabag/wallabag


Reported on

Jan 4th 2023


The exporting entry functionality is vulnerable to an IDOR attack.

Proof of Concept

  1. Create a new entry as an existing user. Let's say the entry's id is 1.
  2. Create a new user and login as them.
  3. Go to http://localhost:8000/export/1.txt.


An attacker can see other users' entries.

We are processing your report and will contact the wallabag team within 24 hours. a year ago
We have contacted a member of the wallabag team and are waiting to hear back a year ago
Kevin Decherf validated this vulnerability a year ago
bauh0lz has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Kevin Decherf
a year ago


Vulnerability published on GitHub: Fix released in 2.5.3:

Kevin Decherf marked this as fixed in 2.5.3 with commit 0f7460 a year ago
Kevin Decherf has been awarded the fix bounty
This vulnerability has now been published a year ago
wallabag/wallabag maintainer gave praise a year ago
Thank you @bauh0lz!
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
to join this conversation