User can read any series without permission in kareadita/kavita
Sep 17th 2022
A normal user can access any series without permission if they have access to at least one library.
Tested on latest release 0.5.6.0 and on docker image 'kizaing/kavita:latest', with image pulled on September 17, 12:30 UTC (Digest: sha256:6e61cdadde2f80e68f1f26cdf935af5c8b3d0db6a7a5f248a4972d251d9998e9).
The program uses URLs of format:
If the user has access to library-number 1 (for example), then the user can access any series through its series-number by using URL:
It does not matter if the referenced series is actually in the library, the software will give the user access to the series regardless.
Note that the user does need to know the series-number, but since these are always handed out sequentially starting from 1, it is not hard for a user to enumerate everything that's available on the server, and access all available series.
This vulnerability is capable of letting any user who has access to at least one library gain access to all series in all libraries.