Wekan
CVE-2021-20654
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionNVD
Wekan, open source kanban board system, between version 3.12 and 4.11, is vulnerable to multiple stored cross-site scripting. This is named 'Fieldbleed' in the vendor's site.
AnalysisAI
Wekan, open source kanban board system, between version 3.12 and 4.11, is vulnerable to multiple stored cross-site scripting. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Technical ContextAI
This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. Wekan, open source kanban board system, between version 3.12 and 4.11, is vulnerable to multiple stored cross-site scripting. This is named 'Fieldbleed' in the vendor's site. Affected products include: Wekan Project Wekan. Version information: version 3.12.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.
packages/wekan-ldap/server/ldap.js in Wekan before 4.87 can process connections even though they are not authorized by t
A stored cross-site scripting (Stored XSS) vulnerability in file preview in WeKan before 6.75 allows remote authenticate
LDAP filter injection in WeKan before 8.19 allows remote unauthenticated attackers to manipulate LDAP search filters and
Privilege escalation in WeKan (versions prior to 8.35) allows authenticated board members with low privileges to perform
Wekan versions 8.31.0 through 8.33 expose webhook URLs and authentication tokens to all board members through unfiltered
Server-Side Request Forgery in Wekan 8.32-8.33 allows authenticated users to force the server to make arbitrary HTTP req
Wekan versions 8.31.0 through 8.33 expose global webhook configurations including sensitive URLs and authentication toke
Broken authorization in Wekan versions prior to 8.20 lets any authenticated non-administrative user invoke board migrati
Authorization bypass in WeKan (self-hosted kanban board) versions prior to 8.19 lets an authenticated user create public
Improper authorization in WeKan's card-move API lets an authenticated low-privilege user relocate cards to boards, lists
Privilege escalation via broken authorization in WeKan (the open-source kanban board) before 8.19 lets users holding rea
Cross-board data tampering in WeKan (open-source Trello-style kanban board) before version 8.19 lets an authenticated lo
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today