Impact
The annotations feature lets users add annotations on highlighted parts of an entry.
The controller does not validate authorization on PUT and DELETE requests which lets a logged user modify or delete any annotation using their ID on their endpoints example.org/annotations/{id}.
These vulnerable requests also disclose highlighted parts of the entry to the attacker.
This vulnerability has a CVSSv3.1 score of 5.4.
You should immediately patch your instance to version 2.5.3 or higher if you have more than one user and/or having open registration.
Resolution
A user check is now done in the vulnerable methods before applying change on an annotation.
The Annotation retrieval through a ParamConverter has also been replaced with a call to the AnnotationRepository in order to prevent any information disclosure through response discrepancy.
Workarounds
Credits
We would like to thank @bAuh0lz for reporting this issue through huntr.dev.
Reference: https://huntr.dev/bounties/8fdd9b31-d89b-4bbe-9557-20b960faf926/
Impact
The annotations feature lets users add annotations on highlighted parts of an entry.
The controller does not validate authorization on
PUTandDELETErequests which lets a logged user modify or delete any annotation using their ID on their endpointsexample.org/annotations/{id}.These vulnerable requests also disclose highlighted parts of the entry to the attacker.
This vulnerability has a CVSSv3.1 score of 5.4.
You should immediately patch your instance to version 2.5.3 or higher if you have more than one user and/or having open registration.
Resolution
A user check is now done in the vulnerable methods before applying change on an annotation.
The Annotation retrieval through a
ParamConverterhas also been replaced with a call to theAnnotationRepositoryin order to prevent any information disclosure through response discrepancy.Workarounds
Credits
We would like to thank @bAuh0lz for reporting this issue through huntr.dev.
Reference: https://huntr.dev/bounties/8fdd9b31-d89b-4bbe-9557-20b960faf926/