CVE-2023-0609: 
PHP vulnerability analysis and mitigation

An Improper Authorization vulnerability was discovered in GitHub repository wallabag/wallabag affecting versions prior to 2.5.3. The vulnerability was assigned CVE-2023-0609 and was disclosed on February 1, 2023. The issue affects the ExportController component of the wallabag application (NVD, CVE).

The vulnerability received a CVSS v3.1 base score of 4.3 (MEDIUM) from NVD with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, while huntr.dev assessed it at 6.5 (MEDIUM) with vector CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. The issue was identified as CWE-285 (Improper Authorization) and specifically involved improper authorization checks in the ExportController component (NVD).

The vulnerability could allow an authenticated attacker to access unauthorized data through the export functionality. The issue specifically affects the entry download feature, potentially exposing sensitive information from entries belonging to other users (GitHub Commit).

The vulnerability has been fixed in version 2.5.3 of wallabag. The fix implements proper authorization checks in the ExportController to verify that users can only access their own entries. Users are advised to upgrade to version 2.5.3 or later (GitHub Commit).