Vulnerability Instance

wallabag/wallabag Has Multiple Cross-Site Request Forgery (CSRF) Vulnerabilities
## Impact

wallabag versions prior to 2.6.11 were discovered to contain multiple Cross-Site Request Forgery (CSRF) vulnerabilities across several endpoints. An attacker could craft a malicious link or page that, if visited by a logged-in wallabag user, could trick the user's browser into performing unintended actions within their wallabag account without their consent. Additionally, one endpoint affects the login page locale setting.

The affected endpoints allow attackers to potentially perform actions such as:

* **Manage API Tokens:**
    * `/generate-token`
    * `/revoke-token`
* **Manage User Rules:**
    * `/tagging-rule/delete/{taggingRule}`
    * `/ignore-origin-user-rule/delete/{ignoreOriginUserRule}`
* **Modify User Configuration:**
    * `/config/view-mode`
* **Manage Individual Entries:**
    * `/reload/{id}`
    * `/archive/{id}`
    * `/star/{id}`
    * `/delete/{id}`
    * `/share/{id}`
    * `/share/delete/{id}`
* **Manage Tags:**
    * `/remove-tag/{entry}/{tag}`
    * `/tag/search/{filter}`
    * `/tag/delete/{slug}`
* **Perform Bulk Actions:**
    * `/mass`
* **Change Interface Language (Login Page):**
    * `/locale/{language}`

Successfully exploiting these vulnerabilities could lead to unauthorized modification or deletion of user data, configuration changes, token manipulation, or interface changes, depending on the specific endpoint targeted.

This set of vulnerabilities has an aggregated CVSS v3.1 score of 4.3 (Medium).

**Users are strongly advised to upgrade their wallabag instance to version 2.6.11 or later to mitigate these vulnerabilities.**

## Resolution

These vulnerabilities have been addressed in wallabag version **2.6.11**. The affected endpoints have been modified to require the HTTP POST method along with a valid CSRF token for state-changing actions, preventing attackers from forcing users' browsers to perform these actions unintentionally.

## Credits

Found, reported and fixed by @yguedidi