Docmost Authorization Bypass Vulnerability Allowing Exposure of Restricted Child Page Metadata

An authorization bypass vulnerability has been identified in Docmost versions 0.70.0 prior to 0.70.2. This vulnerability allows unauthenticated users to access restricted child page titles and text snippets through the public search endpoint for shared content. The issue arises when a share includes subpages, as the public search does not properly filter out restricted descendants, leading to a breach of confidentiality by exposing hidden content.

Impact

Exploitation of this vulnerability allows unauthorized access to restricted child page metadata, including titles and text snippets, through the public search API for shared content.

Reproduction

To reproduce this vulnerability, share a parent page publicly with the 'includeSubPages=true' option. Ensure that some child pages are restricted and not visible to public viewers. After sharing, a public visitor can access the share link and send a request to the public search endpoint using a search term that exists in the restricted child pages. The API will return the restricted content, bypassing the intended access controls.

Remediation

Users can upgrade to Docmost version 0.70.3, which addresses this vulnerability.