Vikunja Cross-Project Information Disclosure Vulnerability

A vulnerability in Vikunja prior to version 2.2.1 allows authenticated users to access full details of tasks in projects they do not have permission to view. This issue arises because the API fails to check project read permissions when returning related tasks. As a result, users can inadvertently gain access to sensitive task information from private projects, undermining the platform's access control measures.

Impact

Exploitation of this vulnerability leads to unauthorized information disclosure, allowing users to access detailed metadata of tasks from projects they cannot read. This includes sensitive information such as task titles, descriptions, due dates, priorities, completion percentages, project IDs, and more. Additionally, the vulnerability reveals the existence and IDs of private projects, further compromising project-level access controls.

Reproduction

To reproduce this vulnerability, first, create two users (User A and User B) with different project access levels. User A should have access to both a shared project and a private project, while User B should only have access to the shared project. Next, have User A create a relation between a task in the shared project and a task in the private project. Finally, have User B read tasks from the shared project. The response will include the task from the shared project along with the full details of the related task from the private project, despite User B's lack of access to it.

Remediation

Users can update to Vikunja version 2.2.1 or later, where this vulnerability has been patched.