Logged in user can query password links of ALL passwords (SVE-624-2019-2)
passwords/link/getList.php
Calling this Ajax function allows any (!) logged in user to retrieve the password links from any (!) password! He only needs the password ID. These are not generated randomly but incrementally (i.e. 1,2,3,4,5,...). In addition, there is no timeout, so that thousands of IDs can be tested very quickly. This is VERY dangerous, as all externally shared passwords without a pin can be viewed! Passwords secured by a PIN cannot be viewed directly, but it is possible to bruteforce the PIN. The program code is not protected against brute force attacks. Fortunately, the PIN must be at least six characters long. This can consist of any number of characters. However, it is questionable that the PIN only consists of numbers when random generation is used. This limits the number of possible PINs to 999,999.