Wallos: Authenticated Missing Authorization Allows Deletion of Other Users’ Uploaded Avatars

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, Wallos allows an authenticated user to delete avatar files uploaded by other users. The avatar deletion endpoint does not verify that the requested avatar belongs to the current user. As a result, any authenticated user who knows or can discover another user's uploaded avatar filename can delete that file. This issue has been patched in version 4.6.2.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

授权机制缺失

Wallos 安全漏洞

Wallos是Miguel Ribeiro个人开发者的一个开源个人订阅跟踪器。 Wallos 4.6.2之前版本存在安全漏洞，该漏洞源于头像删除端点未验证请求的头像是否属于当前用户，可能导致经过身份验证的用户删除其他用户上传的头像文件。

N/A

N/A