Impact

linkding allows uploading arbitrary files ("assets") for each bookmark. Bookmarks can be shared with other users, which also allows other users to view uploaded assets. For certain file types (HTML files, SVG files) browsers may chose to open that file directly in the browser instead of downloading it. This allows users to craft files with malicious scripts and upload them for a shared bookmark. When another user views the file containing the malicious script, this effectively runs the script on the same domain as the linkding application, giving full access to the other user's account. This includes managing bookmarks, the profile, changing the password, or access to admin functionality.

This affects:

• Setups with more than one user
• Bookmark sharing is enabled for both users
• Manually uploaded HTML or SVG files

Not affected are:

• Setups with a single user
• Bookmarks sharing is disabled for either user
• HTML files created by the linkding snapshot feature

Patches

The issue has been fixed in v1.44.2.

Workarounds

The main recommendation is to upgrade. If that is not feasible consider to:

• Delete potentially affected files (at least HTML and SVG), either from the database or the file system. Relevant files are prefixed with upload_.
• Disable manual upload of files by setting the LD_DISABLE_ASSET_UPLOAD environment variable to true

Credits

Thanks to Deema Alfehaid for reporting this issue.