Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Kanboard 1.2.7 Multiple Vulnerabilities

From: Will Boucher via Fulldisclosure <fulldisclosure () seclists org>
Date: Mon, 18 Feb 2019 21:45:05 +0000
Kanboard 1.2.7 Multiple Vulnerabilities

Kanboard 1.2.7 contains multiple vulnerabilities. The vulnerabilities include CSV account import cross site request 
forgery which allows an unauthenticated attacker to create a new administrative user. Cross site request forgery 2FA 
deactivation, allowing an unauthenticated attacker to disable an account's 2FA configuration. A lack of integrity 
checking or transport layer encryption enforced on plugins enables remote code execution by a malicious admin. Other 
vulnerabilities include: session privilege retention, 2FA bypass, database user_id and pre-2FA information disclosure.

Full Advisory URL : https://pulsesecurity.co.nz/advisories/Kanboard

--
Will Boucher
Security Consultant
Pulse Security
www.PulseSecurity.co.nz


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: