Vikunja Link Share Delete Insecure Direct Object Reference Vulnerability Allowing Cross-Project Deletion

An insecure direct object reference vulnerability has been identified in Vikunja, an open-source task management platform, prior to version 2.2.1. The issue arises in the 'DELETE /api/v1/projects/:project/shares/:share' endpoint, which fails to verify that the link share belongs to the specified project. This allows an attacker with admin access to any project to delete link shares from other projects by manipulating the project ID and share ID in the request. The vulnerability affects Vikunja versions through 0.24.6.

Impact

Exploitation of this vulnerability allows an admin user to delete link shares from any project, disrupting collaboration by removing shared access links. The sequential nature of link share IDs also makes enumeration of shares trivial.

Reproduction

To reproduce this vulnerability, an admin user can delete a link share from a different project by sending a DELETE request to the '/api/v1/projects/:project/shares/:share' endpoint. The request must include the ID of the project from which the share is to be deleted, along with the ID of the share itself. The permission check will pass, allowing the deletion to occur, even though the share belongs to a different project.

Remediation

Users can upgrade to Vikunja version 2.2.1 or later, where this vulnerability has been patched.