Multiple Idor in sissbruecker/linkding

Valid

Reported on

Mar 19th 2022


Description

There are multiple idors i found. In bookmarks/<int:bookmark_id>/edit, bookmarks/<int:bookmark_id>/remove, bookmarks/<int:bookmark_id>/archive, bookmarks/<int:bookmark_id>/unarchive. It gets the object provided in the bookmark_id without checking if the owner of the object is the current user.

Proof of Concept

1. Go to https://demo.linkding.link/bookmarks/5/remove
2. The bookmark id 5 will be removed even if you dont own the bookmark. 

Impact

Idor

We are processing your report and will contact the sissbruecker/linkding team within 24 hours. 2 months ago
sissbruecker/linkding maintainer has acknowledged this report 2 months ago
Sascha
2 months ago

Maintainer


Thanks for reporting this @noobexploiterhuntrdev, this is kind of bad. But should be easy to fix. I'll try to get it done this week.

We have contacted a member of the sissbruecker/linkding team and are waiting to hear back 2 months ago
Sascha Ißbrücker validated this vulnerability 2 months ago
noobexploiterhuntrdev has been awarded the disclosure bounty
The fix bounty is now up for grabs
Sascha Ißbrücker confirmed that a fix has been merged on 1ffc3e 2 months ago
The fix bounty has been dropped
bookmarks.py#L111 has been validated
bookmarks.py#L149 has been validated
bookmarks.py#L140 has been validated
bookmarks.py#L158 has been validated
to join this conversation