Vikunja Caldav Basic Authentication TOTP Bypass Vulnerability

A vulnerability in Vikunja's Caldav endpoint prior to version 2.2.0 allows users to bypass two-factor authentication (2FA) by using Basic Authentication. This issue affects accounts with 2FA enabled, allowing unauthorized access to project information typically protected by 2FA, such as project names and descriptions.

Impact

Exploiting this vulnerability allows users to bypass 2FA and access sensitive project information that would normally be protected.

Reproduction

To reproduce this vulnerability, set up a Docker instance of Vikunja version 2.1.0 and create an account with 2FA enabled. After logging out, use a web proxy to send a PROPFIND request to the Caldav endpoint, including the Base64-encoded username and password in the Authorization header. The response will contain the user's project information, demonstrating the 2FA bypass.

Remediation

Users can disable Basic Authentication for Caldav by default and use token-based access instead. If Basic Authentication is necessary, it could be offered as a feature flag, with a warning about the risks of bypassing 2FA.