Vikunja Task Attachment IDOR Vulnerability Allows Unauthorized Access and Deletion of Attachments

An Insecure Direct Object Reference (IDOR) vulnerability has been identified in Vikunja, a self-hosted task management platform, in versions prior to 2.2.1. The issue arises in the `TaskAttachment.ReadOne()` method, which retrieves attachments based solely on their ID, without considering the task ID from the URL. This oversight allows authenticated users to access or delete attachments from tasks in different projects by manipulating the task and attachment IDs. The vulnerability is exacerbated by the sequential nature of attachment IDs, which facilitates easy enumeration of all attachments in the system.

Impact

Exploitation of this vulnerability allows any authenticated user to download or delete any file attachment across the entire Vikunja instance, regardless of project permissions. This could lead to unauthorized access to confidential documents and data loss for users whose attachments are deleted.

Reproduction

To reproduce this vulnerability, an authenticated user with access to any task can exploit the attachment endpoint by referencing an attachment ID that belongs to a task in a different project. The `ReadOne()` method will retrieve the attachment without verifying its associated task, allowing the user to download or delete it. This can be done using a simple API request that includes the manipulated task and attachment IDs.

Remediation

Users can upgrade to Vikunja version 2.2.1 or later, where this vulnerability has been patched.