Vikunja Desktop Unvalidated Protocol Handler Vulnerability Allowing Arbitrary Application Invocation

A vulnerability in the Vikunja Desktop Electron wrapper, present in versions 0.21.0 prior to 2.2.0, allows for the unvalidated opening of URLs through the operating system's default application handlers. This issue arises because the application passes URLs from 'window.open()' calls directly to 'shell.openExternal()' without any validation or allowlisting of protocols. As a result, an attacker can exploit this by inserting links that trigger 'window.open' in user-generated content, potentially leading to the execution of local applications, opening of files, or activation of custom protocol handlers.

Impact

Exploitation of this vulnerability could result in the invocation of arbitrary local applications as the user of the victim's operating system, opening of local files with their default applications, and potentially executing commands via protocol handlers known to be vulnerable. There is also a risk of information disclosure by activating handlers that send data, such as 'mailto:' with a pre-filled message body.

Reproduction

To reproduce this vulnerability, first set up a Vikunja instance and create two user accounts that share a project. As the attacker, log in and create a task containing a link that triggers 'window.open' with a URL designed to exploit the vulnerability, such as a 'file://' link pointing to a local executable. Once the task is saved, log in as the victim user, open the task, and click the link. The specified application will launch on the victim's machine.

Remediation

Users are advised to update Vikunja Desktop to version 2.2.0 or later, where this vulnerability has been fixed.