{
  "schema_version": "1.4.0",
  "id": "GHSA-5pm7-cp8f-p2c2",
  "modified": "2025-04-09T13:09:26Z",
  "published": "2025-04-09T13:09:26Z",
  "aliases": [],
  "summary": "wallabag/wallabag Has Multiple Cross-Site Request Forgery (CSRF) Vulnerabilities",
  "details": "## Impact\n\nwallabag versions prior to 2.6.11 were discovered to contain multiple Cross-Site Request Forgery (CSRF) vulnerabilities across several endpoints. An attacker could craft a malicious link or page that, if visited by a logged-in wallabag user, could trick the user's browser into performing unintended actions within their wallabag account without their consent. Additionally, one endpoint affects the login page locale setting.\n\nThe affected endpoints allow attackers to potentially perform actions such as:\n\n* **Manage API Tokens:**\n    * `/generate-token`\n    * `/revoke-token`\n* **Manage User Rules:**\n    * `/tagging-rule/delete/{taggingRule}`\n    * `/ignore-origin-user-rule/delete/{ignoreOriginUserRule}`\n* **Modify User Configuration:**\n    * `/config/view-mode`\n* **Manage Individual Entries:**\n    * `/reload/{id}`\n    * `/archive/{id}`\n    * `/star/{id}`\n    * `/delete/{id}`\n    * `/share/{id}`\n    * `/share/delete/{id}`\n* **Manage Tags:**\n    * `/remove-tag/{entry}/{tag}`\n    * `/tag/search/{filter}`\n    * `/tag/delete/{slug}`\n* **Perform Bulk Actions:**\n    * `/mass`\n* **Change Interface Language (Login Page):**\n    * `/locale/{language}`\n\nSuccessfully exploiting these vulnerabilities could lead to unauthorized modification or deletion of user data, configuration changes, token manipulation, or interface changes, depending on the specific endpoint targeted.\n\nThis set of vulnerabilities has an aggregated CVSS v3.1 score of 4.3 (Medium).\n\n**Users are strongly advised to upgrade their wallabag instance to version 2.6.11 or later to mitigate these vulnerabilities.**\n\n## Resolution\n\nThese vulnerabilities have been addressed in wallabag version **2.6.11**. The affected endpoints have been modified to require the HTTP POST method along with a valid CSRF token for state-changing actions, preventing attackers from forcing users' browsers to perform these actions unintentionally.\n\n## Credits\n\nFound, reported and fixed by @yguedidi",
  "severity": [
    {
      "type": "CVSS_V3",
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"
    }
  ],
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "wallabag/wallabag"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.6.11"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/wallabag/wallabag/security/advisories/GHSA-5pm7-cp8f-p2c2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/wallabag/wallabag/commit/edffef837598355c9bec433c469f1e04c35b27cb"
    },
    {
      "type": "WEB",
      "url": "https://github.com/wallabag/wallabag/commit/ed1acf59e166a2a6bb81c52baaeabd6196feae98"
    },
    {
      "type": "WEB",
      "url": "https://github.com/wallabag/wallabag/commit/eb8408b22fbaa6b3d78047d6203b23b7f52bbf03"
    },
    {
      "type": "WEB",
      "url": "https://github.com/wallabag/wallabag/commit/e162408139ac9bb12e69f4d49de45ade49369c21"
    },
    {
      "type": "WEB",
      "url": "https://github.com/wallabag/wallabag/commit/ddf2e808422e41ea55cebf2aa12eb1823c5c340a"
    },
    {
      "type": "WEB",
      "url": "https://github.com/wallabag/wallabag/commit/d703fa6a3a75f7c3b433e8caf618bfb0a9a0ba63"
    },
    {
      "type": "WEB",
      "url": "https://github.com/wallabag/wallabag/commit/d1e128900acc0cb8c88eb7a085c9ef5420cf0c43"
    },
    {
      "type": "WEB",
      "url": "https://github.com/wallabag/wallabag/commit/cf49be694089667bbab9f10d52862fbdba9a89de"
    },
    {
      "type": "WEB",
      "url": "https://github.com/wallabag/wallabag/commit/ac5b5fb379233d6e96ea14ae21b7f88761d5fa3f"
    },
    {
      "type": "WEB",
      "url": "https://github.com/wallabag/wallabag/commit/99c8a06594d6ee7480ce4d041ccff3025b353656"
    },
    {
      "type": "WEB",
      "url": "https://github.com/wallabag/wallabag/commit/6fa61c0f9c48d37625c92a8913b487230761fb47"
    },
    {
      "type": "WEB",
      "url": "https://github.com/wallabag/wallabag/commit/677b2986bc78df4c7ecfed87a24593fa0553fd3c"
    },
    {
      "type": "WEB",
      "url": "https://github.com/wallabag/wallabag/commit/5ea5115a721651f2af349e8451be8947dad9c814"
    },
    {
      "type": "WEB",
      "url": "https://github.com/wallabag/wallabag/commit/3817010e29ed368df271cdd11ec71a46a341c673"
    },
    {
      "type": "WEB",
      "url": "https://github.com/wallabag/wallabag/commit/27f0d94db72fb2a54b5965e4e9908a0f418f44b5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/wallabag/wallabag/commit/264f91126e2c42188b80848c881264da743b4dc1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/wallabag/wallabag/commit/0d8429dfc77b84f50060b253fd84f1c09b892226"
    },
    {
      "type": "WEB",
      "url": "https://github.com/wallabag/wallabag/commit/00d0e6f951927434039465b4d3ae3dd661911172"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/wallabag/wallabag"
    }
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-352"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2025-04-09T13:09:26Z",
    "nvd_published_at": null
  }
}