OpenVSX Improper Authorization Vulnerability in Namespace Details API

A vulnerability exists in OpenVSX versions 0.9.0 through 0.20.0, allowing users to edit namespace details via the '/user/namespace/{namespace}/details' API, regardless of their ownership or contribution status. Affected details include the namespace name, description, website, support link, and social media links. The vulnerability also extends to the '/user/namespace/{namespace}/details/logo' endpoint, where users could change the namespace logo without proper authorization.

Impact

Exploitation of this vulnerability allows unauthorized users to modify any namespace information, potentially leading to social engineering attacks by inserting misleading details into the namespace profile.

Reproduction

To reproduce this vulnerability, log into OpenVSX with a GitHub account that has no privileges over any namespace. After obtaining the session cookie, access the '/user/csrf' endpoint to retrieve a CSRF token. With these two pieces of information, send a request to the '/user/namespace/{namespace}/details' API endpoint, including the CSRF token and session cookie, along with the new namespace details. This request will be processed, allowing unauthorized changes to the namespace information.

Remediation

Users can update to OpenVSX version 0.19.1, where this vulnerability has been patched.