LinkAce Cross-User Tag and List Attachment Vulnerability in processTaxonomy()
Vulnerability
A cross-user tag and list attachment vulnerability has been identified in LinkAce versions through 2.1.0. The issue arises in the processTaxonomy() method of LinkRepository.php, where authenticated users can attach private tags and lists of other users to their own links by using integer IDs. This exploitation is possible because the method performs a global lookup for tags and lists without checking user ownership, allowing for unauthorized modifications of tag and list associations across different users.
Impact
Exploitation of this vulnerability allows for cross-user tag and list attachments, where an authenticated user can associate another user's tags or lists with their own links. This not only bypasses intended user ownership policies, but also enables enumeration of other users' tag and list names through the associated pivot table, potentially leading to unauthorized data modifications.
Remediation
To address this vulnerability, it is recommended to scope the integer ID lookups to the current user or to use the policy system to verify access before attaching tags or lists.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.