Horizon Alert
Summary of the vulnerability and why it matters
This advisory concerns an authorization flaw in Vikunja, a project management and to-do list application. The vulnerability could allow unauthorized access and modification of sensitive data, including file attachments across all projects, by bypassing permission checks.
- Flaw allows unauthorized access to shared links and files.
- Affects a project management tool often used externally.
- Confirm relevance and assess exposure of your Vikunja instances.
Attack Path
How an attacker could exploit the issue
An attacker could exploit this vulnerability by first leveraging an authorization flaw in the LinkSharing.ReadAll endpoint to gain access to share hashes, potentially escalating privileges. Subsequently, they could use the GetTaskAttachment endpoint to download or delete any task attachment across the entire instance without proper ownership verification. This chained attack could lead to significant data exposure and manipulation.
- No authentication required to start.
- Vulnerable endpoints are exposed via web.
- Risk of instance-wide data breach.
Live Threat
Current exploitation, exposure, and threat context
This vulnerability could allow an unauthenticated attacker to gain unauthorized access to sensitive information, including administrative shares and all file attachments across an entire Vikunja instance. When supported by the advisory, this could occur by exploiting authorization flaws in the LinkSharing.ReadAll endpoint and insecure permission checks in the GetTaskAttachment endpoint.
- Sensitive system and user data could be exposed.
- Access via network without authentication.
- Unauthorized admin access and data exfiltration.
Operational Fix
Recommended remediation, mitigation, and detection steps
Application owners and infrastructure teams are likely responsible for addressing this authorization flaw in Vikunja. The first practical step involves identifying all instances of Vikunja, assessing their reachability and business criticality, and then determining the accountable owner to plan a risk-based remediation.
- Identify application owners and assets.
- Verify reachability and business criticality.
- Plan remediation based on confirmed risk.