CollabPlatform CORS Misconfiguration Vulnerability Allowing Authenticated Cross-Origin Data Exposure

A vulnerability exists in CollabPlatform, a real-time document collaboration tool, due to a misconfiguration in the Appwrite project it utilizes. This misconfiguration allows arbitrary origins in Cross-Origin Resource Sharing (CORS) responses while permitting credentialed requests. As a result, an attacker-controlled domain can make authenticated cross-origin requests to the application's account endpoint and access sensitive user information, including email addresses, account identifiers, and multi-factor authentication (MFA) status. This vulnerability is present in all versions of CollabPlatform and had no available fix at the time of publication.

Impact

Exploitation of this vulnerability allows for cross-site authenticated data theft, specifically user account information such as email addresses, user IDs, MFA status, and account metadata. This could lead to user profiling and potential exploitation of other vulnerabilities.

Reproduction

To reproduce this vulnerability, an attacker must set up a website that they control and configure it to send cross-origin requests to the Appwrite account endpoint. The request must include authentication cookies from a logged-in user. When the user visits the attacker's website, the browser will send the request with the included cookies, and the response will contain sensitive account information.

Remediation

To address this vulnerability, Appwrite project owners should restrict allowed web origins to only include trusted domains, remove any wildcard or overly broad entries, and ensure that dynamic origin reflection and credentials with wildcard origins are not allowed.