Kanboard had multiple vulnerabilities allowing low-privilege users to leak private task and project titles and inject malicious content across projects. The issues include missing access control in task duplication, stored XSS in external links, and unsafe internal linking, which were addressed in Kanboard 1.2.30.
#Kanboard #CVE-2023-33968 #CVE-2023-33969 #CVE-2023-33970
#Kanboard #CVE-2023-33968 #CVE-2023-33969 #CVE-2023-33970
Keypoints
- Kanboard versions up to 1.2.29 contained three critical CVEs affecting access control and input sanitization.
- Low-privilege users could move tasks to other projects, bypassing destination permissions.
- Stored XSS existed in the Task External Link functionality due to improper escaping.
- Internal task linking allowed leaking of task and project titles without proper permission checks.
- Vendor issued a patch, releasing Kanboard 1.2.30 to remediate the vulnerabilities.
Read More: https://castilho.sh/kanboard