GHSA-5pm7-cp8f-p2c2: wallabag/wallabag Has Multiple Cross-Site Request Forgery (CSRF) Vulnerabilities

wallabag versions prior to 2.6.11 were discovered to contain multiple Cross-Site Request Forgery (CSRF) vulnerabilities across several endpoints. An attacker could craft a malicious link or page that, if visited by a logged-in wallabag user, could trick the user’s browser into performing unintended actions within their wallabag account without their consent. Additionally, one endpoint affects the login page locale setting.

The affected endpoints allow attackers to potentially perform actions such as:

• Manage API Tokens:
• /generate-token
• /revoke-token
• Manage User Rules:
• /tagging-rule/delete/{taggingRule}
• /ignore-origin-user-rule/delete/{ignoreOriginUserRule}
• Modify User Configuration:
• /config/view-mode
• Manage Individual Entries:
• /reload/{id}
• /archive/{id}
• /star/{id}
• /delete/{id}
• /share/{id}
• /share/delete/{id}
• Manage Tags:
• /remove-tag/{entry}/{tag}
• /tag/search/{filter}
• /tag/delete/{slug}
• Perform Bulk Actions:
• /mass
• Change Interface Language (Login Page):
• /locale/{language}

Successfully exploiting these vulnerabilities could lead to unauthorized modification or deletion of user data, configuration changes, token manipulation, or interface changes, depending on the specific endpoint targeted.

This set of vulnerabilities has an aggregated CVSS v3.1 score of 4.3 (Medium).

Users are strongly advised to upgrade their wallabag instance to version 2.6.11 or later to mitigate these vulnerabilities.