Unauthenticated reading list item deletion in kareadita/kavita

Valid

Reported on

Aug 7th 2022


Description

A unauthenticated user can delete any book item of any user reading list in the system without any authentication or authorization verification, via the /api/readinglist/delete-item API endpoint.

Proof of Concept

1 - Send the following request, where x is the target readingListId and y is the number item in that list:

POST http://localhost:5000/api/readinglist/delete-item HTTP/1.1
Content-Type: application/json

{"readingListId":<x>,"readingListItemId":<y>}

Impact

An unauthenticated attacker can delete all book items from all user personal reading lists.

We are processing your report and will contact the kareadita/kavita team within 24 hours. 2 months ago
We have contacted a member of the kareadita/kavita team and are waiting to hear back a month ago
kareadita/kavita maintainer has acknowledged this report a month ago
Joseph Milazzo modified the Severity from Critical (9.1) to High (8.2) a month ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Joseph Milazzo validated this vulnerability a month ago

This is a valid bug, more annoying than allowing any privilege escalation.

vultza has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Joseph Milazzo
a month ago

Maintainer


Fixed locally

Joseph Milazzo confirmed that a fix has been merged on 9c31f7 a month ago
Joseph Milazzo has been awarded the fix bounty
to join this conversation