Full Disclosure mailing list archives
Kanboard 1.2.7 Multiple Vulnerabilities
From: Will Boucher via Fulldisclosure <fulldisclosure () seclists org>
Date: Mon, 18 Feb 2019 21:45:05 +0000
Kanboard 1.2.7 Multiple Vulnerabilities Kanboard 1.2.7 contains multiple vulnerabilities. The vulnerabilities include CSV account import cross site request forgery which allows an unauthenticated attacker to create a new administrative user. Cross site request forgery 2FA deactivation, allowing an unauthenticated attacker to disable an account's 2FA configuration. A lack of integrity checking or transport layer encryption enforced on plugins enables remote code execution by a malicious admin. Other vulnerabilities include: session privilege retention, 2FA bypass, database user_id and pre-2FA information disclosure. Full Advisory URL : https://pulsesecurity.co.nz/advisories/Kanboard -- Will Boucher Security Consultant Pulse Security www.PulseSecurity.co.nz _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Kanboard 1.2.7 Multiple Vulnerabilities Will Boucher via Fulldisclosure (Feb 21)