Unauthenticated reading list item deletion in kareadita/kavita

Valid

Reported on

Aug 7th 2022

Description

A unauthenticated user can delete any book item of any user reading list in the system without any authentication or authorization verification, via the /api/readinglist/delete-item API endpoint.

Proof of Concept

1 - Send the following request, where x is the target readingListId and y is the number item in that list:

POST http://localhost:5000/api/readinglist/delete-item HTTP/1.1
Content-Type: application/json

{"readingListId":<x>,"readingListItemId":<y>}

Impact

An unauthenticated attacker can delete all book items from all user personal reading lists.

We are processing your report and will contact the kareadita/kavita team within 24 hours. a year ago
A GitHub Issue asking the maintainers to create a SECURITY.md exists a year ago
We have contacted a member of the kareadita/kavita team and are waiting to hear back a year ago
kareadita/kavita maintainer has acknowledged this report a year ago
Joe Milazzo modified the Severity from Critical (9.1) to High (8.2) a year ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Joe Milazzo validated this vulnerability a year ago

This is a valid bug, more annoying than allowing any privilege escalation.

vultza has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Joe Milazzo
a year ago

Maintainer

Fixed locally

Joe Milazzo marked this as fixed in v0.5.4.1 with commit 9c31f7 a year ago
Joe Milazzo has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation