Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 4 Oct 2017 20:18:40 +0200
From: chbi@...i.eu
To: oss-security@...ts.openwall.com
Subject: Several Privilege Escalation issues in Kanboard <= 1.0.46


Hi,

I've discovered several security issues in Kanboard <= 1.0.46
(https://kanboard.net)



1)
By altering form data an authenticated user can edit Name, Email,
Identifier, Description,... of a private project of another user.


2)
By altering form data an authenticated user can add a new task to a
private project of another user.


3)
By altering form data an authenticated user can edit columns of a
private project of another user.


4)
By altering form data an authenticated user can add a new category to a
private project of another user.


5)
By altering form data an authenticated user can edit a category of a
private project of another user.


6)
By altering form data an authenticated user can edit swimlanes of a
private project of another user.


7)
By altering form data an authenticated user can edit tags of a private
project of another user.


8)
By altering form data an authenticated user can add automatic actions to
a private project of another user.


9)
By altering form data an authenticated user can remove columns from a
private project of another user.


10)
By altering form data an authenticated user can remove categories from a
private project of another user.


11)
By altering form data an authenticated user can at least see the name of
tags of a private project of another user.


12)
By altering form data an authenticated user can remove automatic actions
from a private project of another user.


13)
By altering form data an authenticated user can edit tasks of a private
project of another user.


14)
By altering form data an authenticated user can add a external link to a
private project of another user.


15)
By altering form data an authenticated user can add a internal link to a
private project of another user.


Fix:
https://github.com/kanboard/kanboard/commit/074f6c104f3e49401ef0065540338fc2d4be79f0
https://github.com/kanboard/kanboard/commit/3e0f14ae2b0b5a44bd038a472f17eac75f538524




16)
By altering form data an authenticated user can download attachments
from a private project of another user.


17)
By altering form data an authenticated user can see thumbnails of
pictures from a private project of another user.


18)
By altering form data an authenticated user can remove attachments from
a private project of another user.


Fix:
https://github.com/kanboard/kanboard/commit/7100f6de8a1f566e260b3e65312767e4cde112b1



The issues are fixed in Kanboard 1.0.47.

https://kanboard.net/news/version-1.0.47




Should I request a CVE ID for each issue or one CVE ID for all issues?

What is the recommended method?



-- 
chbi
https://chbi.eu

GPG: 3DE9 9187 4BE9 EAE6 3CA8  DC20 BA7B 93F9 9037 AE7E
     https://chbi.eu/chbi.asc



Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.