Source: kanboard
Version: 1.2.26+ds-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerabilities were published for kanboard.

CVE-2023-33956[0]:
| Kanboard is open source project management software that focuses on
| the Kanban methodology. Versions prior to 1.2.30 are subject to an
| Insecure direct object reference (IDOR) vulnerability present in the
| application's URL parameter. This vulnerability enables any user to
| read files uploaded by any other user, regardless of their privileges
| or restrictions. By Changing the file_id any user can render all the
| files where MimeType is image uploaded under **/files** directory
| regard less of uploaded by any user. This vulnerability poses a
| significant impact and severity to the application's security. By
| manipulating the URL parameter, an attacker can access sensitive files
| that should only be available to authorized users. This includes
| confidential documents or any other type of file stored within the
| application. The ability to read these files can lead to various
| detrimental consequences, such as unauthorized disclosure of sensitive
| information, privacy breaches, intellectual property theft, or
| exposure of trade secrets. Additionally, it could result in legal and
| regulatory implications, reputation damage, financial losses, and
| potential compromise of user trust. Users are advised to upgrade.
| There are no known workarounds for this vulnerability.


CVE-2023-33968[1]:
| Kanboard is open source project management software that focuses on
| the Kanban methodology. Versions prior to 1.2.30 are subject to a
| missing access control vulnerability that allows a user with low
| privileges to create or transfer tasks to any project within the
| software, even if they have not been invited or the project is
| personal. The vulnerable features are `Duplicate to project` and `Move
| to project`, which both utilize the `checkDestinationProjectValues()`
| function to check his values. This issue has been addressed in version
| 1.2.30. Users are advised to upgrade. There are no known workarounds
| for this vulnerability.


CVE-2023-33969[2]:
| Kanboard is open source project management software that focuses on
| the Kanban methodology. A stored Cross site scripting (XSS) allows an
| attacker to execute arbitrary Javascript and any user who views the
| task containing the malicious code will be exposed to the XSS attack.
| Note: The default CSP header configuration blocks this javascript
| attack. This issue has been addressed in version 1.2.30. Users are
| advised to upgrade. Users unable to upgrade should ensure that they
| have a restrictive CSP header config.


CVE-2023-33970[3]:
| Kanboard is open source project management software that focuses on
| the Kanban methodology. A vulnerability related to a `missing access
| control` was found, which allows a User with the lowest privileges to
| leak all the tasks and projects titles within the software, even if
| they are not invited or it's a personal project. This could also lead
| to private/critical information being leaked if such information is in
| the title. This issue has been addressed in version 1.2.30. Users are
| advised to upgrade. There are no known workarounds for this
| vulnerability.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-33956
    https://www.cve.org/CVERecord?id=CVE-2023-33956
[1] https://security-tracker.debian.org/tracker/CVE-2023-33968
    https://www.cve.org/CVERecord?id=CVE-2023-33968
[2] https://security-tracker.debian.org/tracker/CVE-2023-33969
    https://www.cve.org/CVERecord?id=CVE-2023-33969
[3] https://security-tracker.debian.org/tracker/CVE-2023-33970
    https://www.cve.org/CVERecord?id=CVE-2023-33970

Regards,
Salvatore

Reply via email to