Source: kanboard Version: 1.2.26+ds-2 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerabilities were published for kanboard. CVE-2023-33956[0]: | Kanboard is open source project management software that focuses on | the Kanban methodology. Versions prior to 1.2.30 are subject to an | Insecure direct object reference (IDOR) vulnerability present in the | application's URL parameter. This vulnerability enables any user to | read files uploaded by any other user, regardless of their privileges | or restrictions. By Changing the file_id any user can render all the | files where MimeType is image uploaded under **/files** directory | regard less of uploaded by any user. This vulnerability poses a | significant impact and severity to the application's security. By | manipulating the URL parameter, an attacker can access sensitive files | that should only be available to authorized users. This includes | confidential documents or any other type of file stored within the | application. The ability to read these files can lead to various | detrimental consequences, such as unauthorized disclosure of sensitive | information, privacy breaches, intellectual property theft, or | exposure of trade secrets. Additionally, it could result in legal and | regulatory implications, reputation damage, financial losses, and | potential compromise of user trust. Users are advised to upgrade. | There are no known workarounds for this vulnerability. CVE-2023-33968[1]: | Kanboard is open source project management software that focuses on | the Kanban methodology. Versions prior to 1.2.30 are subject to a | missing access control vulnerability that allows a user with low | privileges to create or transfer tasks to any project within the | software, even if they have not been invited or the project is | personal. The vulnerable features are `Duplicate to project` and `Move | to project`, which both utilize the `checkDestinationProjectValues()` | function to check his values. This issue has been addressed in version | 1.2.30. Users are advised to upgrade. There are no known workarounds | for this vulnerability. CVE-2023-33969[2]: | Kanboard is open source project management software that focuses on | the Kanban methodology. A stored Cross site scripting (XSS) allows an | attacker to execute arbitrary Javascript and any user who views the | task containing the malicious code will be exposed to the XSS attack. | Note: The default CSP header configuration blocks this javascript | attack. This issue has been addressed in version 1.2.30. Users are | advised to upgrade. Users unable to upgrade should ensure that they | have a restrictive CSP header config. CVE-2023-33970[3]: | Kanboard is open source project management software that focuses on | the Kanban methodology. A vulnerability related to a `missing access | control` was found, which allows a User with the lowest privileges to | leak all the tasks and projects titles within the software, even if | they are not invited or it's a personal project. This could also lead | to private/critical information being leaked if such information is in | the title. This issue has been addressed in version 1.2.30. Users are | advised to upgrade. There are no known workarounds for this | vulnerability. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-33956 https://www.cve.org/CVERecord?id=CVE-2023-33956 [1] https://security-tracker.debian.org/tracker/CVE-2023-33968 https://www.cve.org/CVERecord?id=CVE-2023-33968 [2] https://security-tracker.debian.org/tracker/CVE-2023-33969 https://www.cve.org/CVERecord?id=CVE-2023-33969 [3] https://security-tracker.debian.org/tracker/CVE-2023-33970 https://www.cve.org/CVERecord?id=CVE-2023-33970 Regards, Salvatore

