LinkAce Authorization Bypass Vulnerability in RSS Feed Endpoints Allowing Access to Private User Data

An authorization bypass vulnerability has been identified in LinkAce versions through 2.3.1. The issue resides in the authenticated RSS feed endpoints of the FeedController class, which lack proper authorization checks. This flaw enables any authenticated user to access all links, lists, and tags from every user in the system, irrespective of ownership or visibility settings. The vulnerability arises because the application fails to apply necessary data scopes that enforce access controls, allowing sensitive information to be exposed via the RSS feeds.

Impact

Exploitation of this vulnerability allows authenticated users to access private links, lists, and tags belonging to other users, bypassing the application's privacy controls.

Reproduction

To reproduce this vulnerability, create two user accounts in LinkAce. Log in as the first user (User A) and create several private links with sensitive URLs. Then, log in as the second user (User B) and navigate to the RSS feed endpoint for links. The response will include all links from the system, including those created by User A, despite their private status. This exploitation can be repeated with the lists and tags feed endpoints, as well as with specific lists and tags, further demonstrating the lack of proper visibility checks.

Remediation

Users are advised to update to LinkAce version 2.4.0, where this vulnerability has been patched.