Vikunja Background Image Deletion Vulnerability for Read-Only Users

A vulnerability in Vikunja, a self-hosted task management platform, allows read-only users to delete project background images. This issue affects Vikunja versions 0.20.2 prior to 2.2.0. The vulnerability arises because the 'DELETE /api/v1/projects/:project/background' endpoint incorrectly checks for 'CanRead' permission instead of 'CanUpdate', enabling unauthorized deletion of background images.

Impact

Exploitation of this vulnerability leads to unauthorized permanent deletion of project background images, causing irreversible data loss.

Reproduction

To reproduce this vulnerability, a user (User A) must create a project and set a background image. Then, User A can share the project with another user (User B) with read-only permission. User B can then send a DELETE request to the project's background endpoint with a valid authentication token, successfully deleting the background image.

Remediation

Users can upgrade to Vikunja version 2.2.0, which addresses this vulnerability by requiring the correct 'CanUpdate' permission for background image deletion.