Description

A user with API access can view any attachment which they do not have read access to because read permissions are not being checked at the API attachments read controller.

Proof of Concept

1: From default installation give the “Public” role access to system API

2: Upload attachment normally to a private page, attachment is now located at http://[BOOKSTACK-URL]/attachments/1

3: Logout and access http://[BOOKSTACK-URL]/api/attachments/1 to find Base64 encoded attachment, if we were to go to http://[BOOKSTACK-URL]/attachments/1 it says we need to login.

4: Trying the above with a user account (let us say viewer) allows one to access http://[BOOKSTACK-URL]/api/attachments/1 but cannot access http://[BOOKSTACK-URL]/attachments/1, also proving that access is not being checked at the API controller.

Impact

This vulnerability is capable of allowing users with API access to access confidential attachment data which the users would not have read access to.