Vikunja IDOR Vulnerability in Task Comments Allows Unauthorized Comment Access

An authenticated user in Vikunja versions prior to 2.2.0 can exploit an Insecure Direct Object Reference (IDOR) vulnerability to read any task comment by ID. This is possible by replacing the task ID in the API URL with one they have access to, regardless of whether they are authorized to view the comment's associated task. The vulnerability arises because the API endpoint for fetching comments does not properly verify that a comment belongs to the specified task before returning it.

Impact

Exploitation of this vulnerability allows for unauthorized access to task comments, potentially leaking sensitive information such as comment content and authorship.

Reproduction

To reproduce this vulnerability, an authenticated user with access to at least one task can send a request to the 'GET /api/v1/tasks/{taskID}/comments/{commentID}' endpoint. By substituting '{taskID}' with a task they have access to and '{commentID}' with the ID of a comment belonging to a different task, the user can bypass authorization checks and read comments they should not have access to.

Remediation

Users are advised to update Vikunja to version 2.2.0 or later, where this vulnerability has been fixed.