Skip to content

Improper Authorization in /user/namespace/{namespace}/details/logo

Moderate
mrybczyn published GHSA-59rm-2j5r-q2xw Feb 19, 2025

Package

openvsx (source)

Affected versions

v0.9.0 - v0.20.0

Patched versions

v0.19.1
docker openvsx-server (Docker)
v0.9.0 - v0.20.0
v0.19.1

Description

Description

NOTE: One CVE has been issued for this one and GHSA-wc7c-xq2f-qp4h

The /user/namespace/{namespace}/details/logo API allows users to edit every namespace logos, even though they are not owner of the namespace or even if they are not part of the namespace at all.

PoC

  1. Visit https://open-vsx.org/
  2. Login via a GitHub user who does not have any privilege over any namespace
  3. Take note of the session cookie
  4. Visit the following URL: https://open-vsx.org/user/csrf
  5. Save in the current working directory a PNG image as image.png
  6. Replay the following request through curl after having replaced the $COOKIE placeholder with the value obtained at step 3, the $CSRF_TOKEN placeholder with the values obtained at step 4, and the $NAMESPACE placeholder with the name of the namespace to edit:
curl -H "X-Csrf-Token: $CSRF_TOKEN" -b "$COOKIE" -F [email protected] "https://open-vsx.org/user/namespace/$NAMESPACE/details/logo"

A live exploitation attempt could be observed at https://open-vsx.org/namespace/c which is not owned by the ShielderTest user, which the user who edited the namespace logo.

Impact

An attacker can update any namespace logo, inserting misleading one.
This can be abused as part of social engineering attacks.

Reporters

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CVE ID

CVE-2025-1007

Weaknesses

No CWEs

Credits