CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
EPSS
Percentile
25.5%
The annotations feature lets users add annotations on highlighted parts of an entry.
The controller does not validate authorization on PUT
and DELETE
requests which lets a logged user modify or delete any annotation using their ID on their endpoints example.org/annotations/{id}
.
These vulnerable requests also disclose highlighted parts of the entry to the attacker.
You should immediately patch your instance to version 2.5.3 or higher if you have more than one user and/or having open registration.
A user check is now done in the vulnerable methods before applying change on an annotation.
The Annotation retrieval through a ParamConverter
has also been replaced with a call to the AnnotationRepository
in order to prevent any information disclosure through response discrepancy.
We would like to thank @bAuh0lz for reporting this issue through huntr.dev.
Reference: https://huntr.dev/bounties/8fdd9b31-d89b-4bbe-9557-20b960faf926/