Miggo Logo
Miggo Vulnerability Database
GHSA-h45f-rjvw-2rv2

GHSA-h45f-rjvw-2rv2: Withdrawn: wallabag subject to Improper Authorization

4.3

CVSS Score
3.1

Basic Information

CVE ID
-
GHSA ID
GHSA-h45f-rjvw-2rv2
EPSS Score
-
CWE
CWE-285
Published
2/1/2023
Updated
2/8/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
wallabag/wallabagcomposer>= 2.0.0-alpha.1, < 2.5.32.5.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The commit diff shows the downloadEntryAction method was modified to add user authorization checks (comparing current user ID with entry owner ID). The original method signature accepted an Entry parameter without ownership validation, making it vulnerable to IDOR attacks. The added tests (testForbiddenEntryId) confirm the authorization check was missing in previous versions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

## *upli**t* **visory T*is **visory **s ***n wit**r*wn ****us* it is * *upli**t* o* [**S*-qwx*-mxxx-m***](*ttps://*it*u*.*om/**visori*s/**S*-qwx*-mxxx-m***). T*is link is m*int*in** to pr*s*rv* *xt*rn*l r***r*n**s. ## Ori*in*l **s*ription Improp*r

Reasoning

T** *ommit *i** s*ows t** `*ownlo***ntry**tion` m*t*o* w*s mo*i*i** to *** us*r *ut*oriz*tion ****ks (*omp*rin* *urr*nt us*r I* wit* *ntry own*r I*). T** ori*in*l m*t*o* si*n*tur* ****pt** *n `*ntry` p*r*m*t*r wit*out own*rs*ip v*li**tion, m*kin* it