Unauthenticated book download and view details in kareadita/kavita

Valid

Reported on

Aug 7th 2022

Description

A unauthenticated user can download, view the details and resources, and retrieve individual pages of any book in the system without any kind of authorization or authentication verification.

Unauthenticated book operations list:

1 - Download any book via the /api/reader/pdf endpoint.
2 - Get information of any book via the /api/book/<book-id>/book-info endpoint.
3 - Get all the resources of any book via the /api/book/<book-id>/book-resources endpoint .
4 - Get all the chapters of any book via the /api/book/<book-id>/chapters enpoint.
5 - Get individual pages of any book via the /api/book/<book-id>/book-page?page=<page> endpoint.
6 - Get page image of any book via the /api/reader/image?chapterId=<book-id> endpoint

Proof of Concept

Download book:

1 - Send the following request, where the <chapterID> is the id of the target book.

GET /api/reader/pdf?chapterId=<chapterID>
HOST localhost:5000

2 - The book is downloaded with success.

Impact

A unauthenticated user can download every book in the application and retrieve related book information, without the permissions required to do so.

We are processing your report and will contact the kareadita/kavita team within 24 hours. a year ago

A GitHub Issue asking the maintainers to create a SECURITY.md exists a year ago

We have contacted a member of the kareadita/kavita team and are waiting to hear back a year ago

Joe Milazzo validated this vulnerability a year ago

Fixed locally

vultza has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Joe Milazzo marked this as fixed in 0.5.4.1 with commit 9c31f7 a year ago

Joe Milazzo has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation