[MEDIUM] wallabag/wallabag Has Multiple Cross-Site Request Forgery (CSRF) Vulnerabilities

PKSA-47nk-mbyf-3k8g GHSA-5pm7-cp8f-p2c2

Affected version: <2.6.11

Reported by:
GitHub

[MEDIUM] CSRF leading to delete account in wallabag/wallabag

PKSA-62vh-rqjc-f5hc CVE-2023-0737 GHSA-99w8-c5f6-96pp

Affected version: <2.5.4

Reported by:
GitHub

[MEDIUM] Wallabag user can disable 2FA unintentionally

PKSA-rpn3-c2zq-8bxc GHSA-56fm-hfp3-x3w3

Affected version: >=2.0.0-alpha.1,<2.6.7

Reported by:
GitHub

[MEDIUM] Wallabag user can reset data unintentionally

PKSA-grtz-7vrv-bfdf CVE-2023-4454 GHSA-p8gp-899c-jvq9

Affected version: >=2.0.0-alpha.1,<=2.6.2

Reported by:
GitHub

[MEDIUM] Wallabag user can delete own API client unintentionally

PKSA-w8zw-n8jy-dww5 CVE-2023-4455 GHSA-gjvc-55fw-v6vq

Affected version: >=2.0.0-alpha.1,<=2.6.2

Reported by:
GitHub

[MEDIUM] Wallabag vulnerable to Allocation of Resources Without Limits or Throttling

PKSA-vwxb-cgc5-dhmx CVE-2023-3566 GHSA-6qq7-3hqc-p5w4

Affected version: <=2.5.4

Reported by:
GitHub

[MEDIUM] Wallabag Improper Authorization vulnerability

PKSA-hbyb-nbdj-8w6v CVE-2023-0734 GHSA-8ccw-f83g-v7g3

Affected version: <2.5.4

Reported by:
GitHub

[MEDIUM] Cross-Site Request Forgery (CSRF) in wallabag/wallabag

PKSA-fk8j-yrtn-xxzw CVE-2023-0735 GHSA-2qxp-xmx6-cq4f

Affected version: <2.5.4

Reported by:
GitHub

[MEDIUM] Cross-site Scripting (XSS) in wallabag/wallabag

PKSA-s8hr-qk43-x2k7 CVE-2023-0736 GHSA-3x2c-87cq-qx49

Affected version: <2.5.4

Reported by:
GitHub

[MEDIUM] wallabag subject to Improper Authorization via annotations

PKSA-21nm-75ss-dypw CVE-2023-0610 GHSA-mrqx-mjc4-vfh3

Affected version: >=2.0.0-beta.1,<2.5.3

Reported by:
GitHub

[MEDIUM] wallabag contains Improper Authorization via export feature

PKSA-5542-ywqz-x2b1 CVE-2023-0609 GHSA-qwx8-mxxx-mg96

Affected version: >=2.0.0-alpha.1,<2.5.3

Reported by:
GitHub