5.4

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-0610

CVE-2023-0610: wallabag subject to Improper Authorization via annotations

Impact

The annotations feature lets users add annotations on highlighted parts of an entry.

The controller does not validate authorization on PUT and DELETE requests which lets a logged user modify or delete any annotation using their ID on their endpoints example.org/annotations/{id}.

These vulnerable requests also disclose highlighted parts of the entry to the attacker.

You should immediately patch your instance to version 2.5.3 or higher if you have more than one user and/or having open registration.

Resolution

A user check is now done in the vulnerable methods before applying change on an annotation.

The Annotation retrieval through a ParamConverter has also been replaced with a call to the AnnotationRepository in order to prevent any information disclosure through response discrepancy.

Workarounds

Credits

We would like to thank @bAuh0lz for reporting this issue through huntr.dev.

Reference: https://huntr.dev/bounties/8fdd9b31-d89b-4bbe-9557-20b960faf926/

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2023-0610

CVE-2023-0610:

5.4

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
wallabag/wallabag	composer	>= 2.0.0-beta.1, < 2.5.3	2.5.3

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from missing authorization checks in PUT/DELETE handlers. Pre-patch code used Sensio's ParamConverter to automatically fetch Annotation entities by ID without verifying user ownership. This allowed ID enumeration attacks. The commit replaced ParamConverter usage with explicit repository calls (findOneByIdAndUserId) in both methods, and added a validateAnnotation helper to enforce ownership. The vulnerable functions were directly handling requests without these checks, enabling cross-user modifications/deletions and information disclosure through error discrepancies.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

5.4

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2023-0610: wallabag subject to Improper Authorization via annotations

Impact

Resolution

Workarounds

Credits

CVE-2023-0610:

5.4

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

CVE-2023-0610: wallabag subject to Improper Authorization via annotations

Impact

Resolution

Workarounds

Credits

Technical Details

5.4

5.4

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI