CVE-2024-52294

Name of the Vulnerable Software and Affected Versions Khoj versions prior to 1.29.10

Description The issue is related to an Insecure Direct Object Reference (IDOR) vulnerability in the update subscription endpoint, allowing any authenticated user to manipulate other users' Stripe subscriptions by modifying the email parameter in the request. The vulnerability exists in the subscription endpoint at "/api/subscription", which uses an email parameter as a direct reference to user subscriptions without verifying object ownership. While authentication is required, there is no authorization check to verify if the authenticated user owns the referenced subscription.

Recommendations For versions prior to 1.29.10, update to version 1.29.10 or later to resolve the issue. As a temporary workaround, consider restricting access to the /api/subscription endpoint to prevent unauthorized subscription modifications. Additionally, avoid using the email parameter in the affected API endpoint until the issue is resolved.