oss-sec mailing list archives

Several Privilege Escalation issues in Kanboard <= 1.0.46

From: chbi () chbi eu
Date: Wed, 4 Oct 2017 20:18:40 +0200


Hi,

I've discovered several security issues in Kanboard <= 1.0.46
(https://kanboard.net)



1)
By altering form data an authenticated user can edit Name, Email,
Identifier, Description,... of a private project of another user.


2)
By altering form data an authenticated user can add a new task to a
private project of another user.


3)
By altering form data an authenticated user can edit columns of a
private project of another user.


4)
By altering form data an authenticated user can add a new category to a
private project of another user.


5)
By altering form data an authenticated user can edit a category of a
private project of another user.


6)
By altering form data an authenticated user can edit swimlanes of a
private project of another user.


7)
By altering form data an authenticated user can edit tags of a private
project of another user.


8)
By altering form data an authenticated user can add automatic actions to
a private project of another user.


9)
By altering form data an authenticated user can remove columns from a
private project of another user.


10)
By altering form data an authenticated user can remove categories from a
private project of another user.


11)
By altering form data an authenticated user can at least see the name of
tags of a private project of another user.


12)
By altering form data an authenticated user can remove automatic actions
from a private project of another user.


13)
By altering form data an authenticated user can edit tasks of a private
project of another user.


14)
By altering form data an authenticated user can add a external link to a
private project of another user.


15)
By altering form data an authenticated user can add a internal link to a
private project of another user.


Fix:
https://github.com/kanboard/kanboard/commit/074f6c104f3e49401ef0065540338fc2d4be79f0
https://github.com/kanboard/kanboard/commit/3e0f14ae2b0b5a44bd038a472f17eac75f538524




16)
By altering form data an authenticated user can download attachments
from a private project of another user.


17)
By altering form data an authenticated user can see thumbnails of
pictures from a private project of another user.


18)
By altering form data an authenticated user can remove attachments from
a private project of another user.


Fix:
https://github.com/kanboard/kanboard/commit/7100f6de8a1f566e260b3e65312767e4cde112b1



The issues are fixed in Kanboard 1.0.47.

https://kanboard.net/news/version-1.0.47




Should I request a CVE ID for each issue or one CVE ID for all issues?

What is the recommended method?



-- 
chbi
https://chbi.eu

GPG: 3DE9 9187 4BE9 EAE6 3CA8  DC20 BA7B 93F9 9037 AE7E
     https://chbi.eu/chbi.asc

Attachment: signature.asc
Description: OpenPGP digital signature

Current thread:

Several Privilege Escalation issues in Kanboard <= 1.0.46 chbi (Oct 04)
- Re: Several Privilege Escalation issues in Kanboard <= 1.0.46 Henri S. (Oct 08)
  - Re: Several Privilege Escalation issues in Kanboard <= 1.0.46 chbi (Oct 09)
- Re: Several Privilege Escalation issues in Kanboard <= 1.0.46 chbi (Oct 10)