CVE-2023-0610

Name of the Vulnerable Software and Affected Versions wallabag versions prior to 2.5.3

Description The issue concerns improper authorization in the wallabag GitHub repository. Specifically, the annotations feature allows users to add annotations on highlighted parts of an entry. However, the controller does not validate authorization on PUT and DELETE requests, enabling a logged-in user to modify or delete any annotation using their ID on the endpoint example.org/annotations/{id}. This vulnerability also discloses highlighted parts of the entry to the attacker.

Recommendations For versions prior to 2.5.3, update to version 2.5.3 or higher, especially if you have more than one user and/or open registration. As a temporary workaround, consider restricting access to the annotations feature until the update is applied. Additionally, ensure that user checks are implemented in the vulnerable methods before applying changes to an annotation, and replace the Annotation retrieval through a ParamConverter with a call to the AnnotationRepository to prevent information disclosure.