Name of the Vulnerable Software and Affected Versions Umami (affected versions not specified)

Description The issue allows anyone with a share link to reset website data. When a user navigates to a /share/ URL, they receive a share token used for authentication, which is later verified by useAuth. This token can be used to call most GET APIs for fetching website stats. However, the POST /reset endpoint is secured using canViewWebsite, which is an incorrect verification for such a destructive action, making it possible to completely reset all website data with only view permissions.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.