LinkAce Private Note Disclosure Vulnerability via Web Interface

A vulnerability in LinkAce versions prior to 2.5.3 allows private notes attached to non-private links to be disclosed to other authenticated users through the web interface. While the API correctly enforces note visibility, the web link detail page fails to apply the same filtering, leading to unauthorized access to private notes. This issue arises because the web interface directly renders link notes without considering their visibility settings. Consequently, an authenticated user who can view another user's internal or public link may also access the private notes associated with it.

Impact

This vulnerability enables a low-privileged authenticated user to read another user's private notes, as long as the linked visibility is set to internal or public. The exposed notes could contain sensitive information such as internal references, credentials, tokens, or operational details.

Reproduction

To reproduce this vulnerability, create two user accounts: 'victim' and 'attacker'. Log in as 'victim' and create a link with 'Internal' visibility. Afterward, attach a note marked 'Private' to that link. Once the note is added, log out and log in as 'attacker'. Access the 'victim' link detail page through the web interface. The private note content will be visible to 'attacker', demonstrating the unauthorized disclosure.

Remediation

Users can update to LinkAce version 2.5.3 or later, where this vulnerability has been patched.