Skip to main content

Kanboard CVE-2023-33956

MEDIUM
Information Exposure (CWE-200)
2023-06-05 security-advisories@github.com
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
CVE Published
Jun 05, 2023 - 20:15 nvd
MEDIUM 6.5

DescriptionNVD

Kanboard is open source project management software that focuses on the Kanban methodology. Versions prior to 1.2.30 are subject to an Insecure direct object reference (IDOR) vulnerability present in the application's URL parameter. This vulnerability enables any user to read files uploaded by any other user, regardless of their privileges or restrictions. By Changing the file_id any user can render all the files where MimeType is image uploaded under /files directory regard less of uploaded by any user. This vulnerability poses a significant impact and severity to the application's security. By manipulating the URL parameter, an attacker can access sensitive files that should only be available to authorized users. This includes confidential documents or any other type of file stored within the application. The ability to read these files can lead to various detrimental consequences, such as unauthorized disclosure of sensitive information, privacy breaches, intellectual property theft, or exposure of trade secrets. Additionally, it could result in legal and regulatory implications, reputation damage, financial losses, and potential compromise of user trust. Users are advised to upgrade. There are no known workarounds for this vulnerability.

AnalysisAI

Kanboard is open source project management software that focuses on the Kanban methodology. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Technical ContextAI

This vulnerability is classified as Exposure of Sensitive Information (CWE-200), which allows attackers to access sensitive data that should not be disclosed. Kanboard is open source project management software that focuses on the Kanban methodology. Versions prior to 1.2.30 are subject to an Insecure direct object reference (IDOR) vulnerability present in the application's URL parameter. This vulnerability enables any user to read files uploaded by any other user, regardless of their privileges or restrictions. By Changing the file_id any user can render all the files where MimeType is image uploaded under /files directory regard less of uploaded by any user. This vulnerability poses a significant impact and severity to the application's security. By manipulating the URL parameter, an attacker can access sensitive files that should only be available to authorized users. This includes confidential documents or any other type of file stored within the application. The ability to read these files can lead to various detrimental consequences, such as unauthorized disclosure of sensitive information, privacy breaches, intellectual property theft, or exposure of trade secrets. Additionally, it could result in legal and regulatory implications, reputation damage, financial losses, and potential compromise of user trust. Users are advised to upgrade. There are no known workarounds for this vulnerability. Affected products include: Kanboard. Version information: prior to 1.2.30.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Minimize information in error messages, implement proper access controls, encrypt sensitive data at rest and in transit.

CVE-2026-21881 CRITICAL POC
9.1 Jan 08

Kanboard project management (through 1.2.48) has an authentication bypass when REVERSE_PROXY_AUTH is enabled. The applic

CVE-2023-36813 HIGH POC
8.8 Jul 05

Kanboard is project management software that focuses on the Kanban methodology. Rated high severity (CVSS 8.8), this vul

CVE-2026-25924 HIGH POC
8.4 Feb 11

Remote code execution in Kanboard prior to 1.2.50 allows authenticated administrators to bypass plugin installation rest

CVE-2025-52560 HIGH POC
8.1 Jun 24

Kanboard prior to version 1.2.46 contains a host header injection vulnerability that allows unauthenticated attackers to

CVE-2026-58660 HIGH POC
7.2 Jul 15

Broken object-level authorization in Kanboard through 1.2.52 lets any authenticated user who belongs to at least one pro

CVE-2024-51748 HIGH POC
7.2 Nov 11

Kanboard is project management software that focuses on the Kanban methodology. Rated high severity (CVSS 7.2), this vul

CVE-2024-51747 HIGH POC
7.2 Nov 11

Kanboard is project management software that focuses on the Kanban methodology. Rated high severity (CVSS 7.2), this vul

CVE-2014-3920 MEDIUM POC
6.8 Jul 03

Cross-site request forgery (CSRF) vulnerability in Kanboard before 1.0.6 allows remote attackers to hijack the authentic

CVE-2024-55603 MEDIUM POC
6.5 Dec 19

Kanboard is project management software that focuses on the Kanban methodology. Rated medium severity (CVSS 6.5), this v

CVE-2023-33970 MEDIUM POC
6.5 Jun 05

Kanboard is open source project management software that focuses on the Kanban methodology. Rated medium severity (CVSS

CVE-2024-36399 MEDIUM POC
6.3 Jun 06

Kanboard is project management software that focuses on the Kanban methodology. Rated medium severity (CVSS 6.3), this v

CVE-2026-24885 MEDIUM POC
5.7 Feb 10

Kanboard versions prior to 1.2.50 contain a CSRF vulnerability in the ProjectPermissionController that accepts text/plai

Share

CVE-2023-33956 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy