GHSA-56fm-hfp3-x3w3: 
PHP vulnerability analysis and mitigation

A Cross-Site Request Forgery (CSRF) vulnerability was discovered in Wallabag (versions >= 2.0.0-alpha.1, < 2.6.7) that allows attackers to arbitrarily disable Two-Factor Authentication (2FA) through specific endpoints (/config/otp/app/disable and /config/otp/email/disable). The vulnerability was reported by dhina016 through huntr.dev and was published on October 2, 2023, with a CVSSv3.1 score of 4.3 (Moderate severity) (GitHub Advisory).

The vulnerability (GHSA-56fm-hfp3-x3w3) is characterized by a CVSS v3.1 base score of 4.3 with the following metrics: Network attack vector, Low attack complexity, No privileges required, User interaction Required, Unchanged scope, No impact on Confidentiality, Low impact on Integrity, and No impact on Availability. The vulnerability is classified as CWE-352 (Cross-Site Request Forgery) (GitHub Advisory).

The vulnerability allows attackers to disable a user's Two-Factor Authentication without proper authorization. This affects both email-based 2FA and app-based 2FA implementations in Wallabag, potentially compromising the security of user accounts by bypassing their additional authentication layer (GitHub Advisory).

The vulnerability has been patched in version 2.6.7. The fix involves requiring POST method for the vulnerable endpoints. Users are strongly recommended to upgrade their Wallabag instance to version 2.6.7 or higher (GitHub Advisory).