CVE-2024-51747 – Arbitrary File Read and Delete in kanboard
https://notcve.org/view.php?id=CVE-2024-51747
Kanboard is project management software that focuses on the Kanban methodology. An authenticated Kanboard admin can read and delete arbitrary files from the server. File attachments, that are viewable or downloadable in Kanboard are resolved through its `path` entry in the `project_has_files` SQLite db. Thus, an attacker who can upload a modified sqlite.db through the dedicated feature, can set arbitrary file links, by abusing path traversals. Once the modified db is uploaded and the project page is accessed, a file download can be triggered and all files, readable in the context of the Kanboard application permissions, can be downloaded. • https://github.com/kanboard/kanboard/security/advisories/GHSA-78pf-vg56-5p8v • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-27: Path Traversal: 'dir/../../filename' •
CVE-2024-51748 – Remote code execution through language setting in kanboard
https://notcve.org/view.php?id=CVE-2024-51748
Kanboard is project management software that focuses on the Kanban methodology. An authenticated Kanboard admin can run arbitrary php code on the server in combination with a file write possibility. The user interface language is determined and loaded by the setting `application_language` in the `settings` table. Thus, an attacker who can upload a modified sqlite.db through the dedicated feature, has control over the filepath, which is loaded. Exploiting this vulnerability has one constraint: the attacker must be able to place a file (called translations.php) on the system. • https://github.com/kanboard/kanboard/security/advisories/GHSA-jvff-x577-j95p • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2024-36399 – Kanboard affected by Project Takeover via IDOR in ProjectPermissionController
https://notcve.org/view.php?id=CVE-2024-36399
Kanboard is project management software that focuses on the Kanban methodology. The vuln is in app/Controller/ProjectPermissionController.php function addUser(). The users permission to add users to a project only get checked on the URL parameter project_id. If the user is authorized to add users to this project the request gets processed. The users permission for the POST BODY parameter project_id does not get checked again while processing. • https://github.com/kanboard/kanboard/commit/b6703688aac8187f5ea4d4d704fc7afeeffeafa7 https://github.com/kanboard/kanboard/security/advisories/GHSA-x8v7-3ghx-65cv • CWE-284: Improper Access Control CWE-285: Improper Authorization CWE-639: Authorization Bypass Through User-Controlled Key •
CVE-2019-1003020
https://notcve.org/view.php?id=CVE-2019-1003020
A server-side request forgery vulnerability exists in Jenkins Kanboard Plugin 1.5.10 and earlier in KanboardGlobalConfiguration.java that allows attackers with Overall/Read permission to submit a GET request to an attacker-specified URL. Existe una vulnerabilidad Server-Side Request Forgery (SSRF) en Jenkins Kanboard Plugin, en versiones 1.5.10 y anteriores, en KanboardGlobalConfiguration.java, que permite que atacantes con el permiso Overall/Read envíen una petición GET a una URL especificada por el atacante. • https://jenkins.io/security/advisory/2019-01-28/#SECURITY-818 • CWE-918: Server-Side Request Forgery (SSRF) •