Race Conditional exists in the collection in answerdev/answer


Reported on

Jan 12th 2023


Ordinary users can use this vulnerability to attack other users' question collection, which can break through a single user's operation of only collecting or canceling the collection, resulting in too many or negative collections

Proof of Concept

step1 . Open burp, click collection, and block the request package image-20230112232340532 image-20230112232411732

step2 .Right click to send the request package to Turbo Intruder image-20230112232609764 Add a request header x-req: %s , then last code user select examples/race.py and click attack image-20230112233041258 image-20230112233105438

setp3. Turn off burp interception, refresh your question, and you can see that the limit has been broken image-20230112233211607


It can break the limit of user's single collection or cancellation of collection, and attackers can maliciously attack the number of other users' question collections, such as adding/reducing a large number of collections


Add transaction to collection operation or add lock

We are processing your report and will contact the answerdev/answer team within 24 hours. a year ago
A GitHub Issue asking the maintainers to create a SECURITY.md exists a year ago
We have contacted a member of the answerdev/answer team and are waiting to hear back a year ago
We have sent a follow up to the answerdev/answer team. We will try again in 4 days. a year ago
answerdev/answer maintainer validated this vulnerability a year ago
1derian has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
answerdev/answer maintainer marked this as fixed in 1.0.4 with commit 1ee34b a year ago
The fix bounty has been dropped
This vulnerability has now been published a year ago
to join this conversation