Kanboard: >> Kanboard Security Vulnerabilities
Kanboard is open source project management software that focuses on the Kanban methodology. A stored Cross site scripting (XSS) allows an attacker to execute arbitrary Javascript and any user who views the task containing the malicious code will be exposed to the XSS attack. Note: The default CSP header configuration blocks this javascript attack. This issue has been addressed in version 1.2.30. Users are advised to upgrade. Users unable to upgrade should ensure that they have a restrictive CSP header config.
CVSS Score
6.4
EPSS Score
0.001
Published
2023-06-05
Kanboard is open source project management software that focuses on the Kanban methodology. A vulnerability related to a `missing access control` was found, which allows a User with the lowest privileges to leak all the tasks and projects titles within the software, even if they are not invited or it's a personal project. This could also lead to private/critical information being leaked if such information is in the title. This issue has been addressed in version 1.2.30. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVSS Score
5.4
EPSS Score
0.002
Published
2023-06-05
Kanboard is project management software that focuses on the Kanban methodology. Due to improper handling of elements under the `contentEditable` element, maliciously crafted clipboard content can inject arbitrary HTML tags into the DOM. A low-privileged attacker with permission to attach a document on a vulnerable Kanboard instance can trick the victim into pasting malicious screenshot data and achieve cross-site scripting if CSP is improperly configured. This issue has been patched in version 1.2.29.
CVSS Score
4.4
EPSS Score
0.005
Published
2023-05-30
app/Core/Paginator.php in Kanboard before 1.2.8 has XSS in pagination sorting.
CVSS Score
6.1
EPSS Score
0.003
Published
2019-02-04
In Kanboard before 1.0.47, by altering form data, an authenticated user can remove automatic actions from a private project of another user.
CVSS Score
4.3
EPSS Score
0.005
Published
2017-10-11
In Kanboard before 1.0.47, by altering form data, an authenticated user can remove attachments from a private project of another user.
CVSS Score
4.3
EPSS Score
0.005
Published
2017-10-11
In Kanboard before 1.0.47, by altering form data, an authenticated user can see thumbnails of pictures from a private project of another user.
CVSS Score
4.3
EPSS Score
0.003
Published
2017-10-11
In Kanboard before 1.0.47, by altering form data, an authenticated user can add an external link to a private project of another user.
CVSS Score
4.3
EPSS Score
0.005
Published
2017-10-11
In Kanboard before 1.0.47, by altering form data, an authenticated user can at least see the names of tags of a private project of another user.
CVSS Score
4.3
EPSS Score
0.003
Published
2017-10-11
In Kanboard before 1.0.47, by altering form data, an authenticated user can edit swimlanes of a private project of another user.
CVSS Score
4.3
EPSS Score
0.005
Published
2017-10-11