Impact
wallabag was discovered to contain a Cross-Site Request Forgery (CSRF) which allows attackers to arbitrarily disable 2FA through /config/otp/app/disable and /config/otp/email/disable.
This vulnerability has a CVSSv3.1 score of 4.3.
You should upgrade your instance to version 2.6.7 or higher.
Resolution
These endpoints now require POST method.
Credits
We would like to thank @dhina016 for reporting this issue through huntr.dev.
Reference: https://huntr.dev/bounties/4c446fe7-2a44-4907-b0cf-4ab77d75c487/
Impact
wallabag was discovered to contain a Cross-Site Request Forgery (CSRF) which allows attackers to arbitrarily disable 2FA through
/config/otp/app/disableand/config/otp/email/disable.This vulnerability has a CVSSv3.1 score of 4.3.
You should upgrade your instance to version 2.6.7 or higher.
Resolution
These endpoints now require POST method.
Credits
We would like to thank @dhina016 for reporting this issue through huntr.dev.
Reference: https://huntr.dev/bounties/4c446fe7-2a44-4907-b0cf-4ab77d75c487/