Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Wallos: Authenticated Missing Authorization Allows Deletion of Other Users’ Uploaded Avatars
Vulnerability Description
Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, Wallos allows an authenticated user to delete avatar files uploaded by other users. The avatar deletion endpoint does not verify that the requested avatar belongs to the current user. As a result, any authenticated user who knows or can discover another user's uploaded avatar filename can delete that file. This issue has been patched in version 4.6.2.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Vulnerability Type
授权机制缺失
Vulnerability Title
Wallos 安全漏洞
Vulnerability Description
Wallos是Miguel Ribeiro个人开发者的一个开源个人订阅跟踪器。 Wallos 4.6.2之前版本存在安全漏洞,该漏洞源于头像删除端点未验证请求的头像是否属于当前用户,可能导致经过身份验证的用户删除其他用户上传的头像文件。
CVSS Information
N/A
Vulnerability Type
N/A