Kanboard
CVE-2023-33970
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionNVD
Kanboard is open source project management software that focuses on the Kanban methodology. A vulnerability related to a missing access control was found, which allows a User with the lowest privileges to leak all the tasks and projects titles within the software, even if they are not invited or it's a personal project. This could also lead to private/critical information being leaked if such information is in the title. This issue has been addressed in version 1.2.30. Users are advised to upgrade. There are no known workarounds for this vulnerability.
AnalysisAI
Kanboard is open source project management software that focuses on the Kanban methodology. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Technical ContextAI
This vulnerability is classified as Missing Authorization (CWE-862), which allows attackers to access resources or perform actions without proper authorization checks. Kanboard is open source project management software that focuses on the Kanban methodology. A vulnerability related to a missing access control was found, which allows a User with the lowest privileges to leak all the tasks and projects titles within the software, even if they are not invited or it's a personal project. This could also lead to private/critical information being leaked if such information is in the title. This issue has been addressed in version 1.2.30. Users are advised to upgrade. There are no known workarounds for this vulnerability. Affected products include: Kanboard. Version information: version 1.2.30..
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Implement role-based access control, validate authorization on every request server-side, apply principle of least privilege.
Kanboard project management (through 1.2.48) has an authentication bypass when REVERSE_PROXY_AUTH is enabled. The applic
Kanboard is project management software that focuses on the Kanban methodology. Rated high severity (CVSS 8.8), this vul
Remote code execution in Kanboard prior to 1.2.50 allows authenticated administrators to bypass plugin installation rest
Kanboard prior to version 1.2.46 contains a host header injection vulnerability that allows unauthenticated attackers to
Broken object-level authorization in Kanboard through 1.2.52 lets any authenticated user who belongs to at least one pro
Kanboard is project management software that focuses on the Kanban methodology. Rated high severity (CVSS 7.2), this vul
Kanboard is project management software that focuses on the Kanban methodology. Rated high severity (CVSS 7.2), this vul
Cross-site request forgery (CSRF) vulnerability in Kanboard before 1.0.6 allows remote attackers to hijack the authentic
Kanboard is project management software that focuses on the Kanban methodology. Rated medium severity (CVSS 6.5), this v
Kanboard is open source project management software that focuses on the Kanban methodology. Rated medium severity (CVSS
Kanboard is project management software that focuses on the Kanban methodology. Rated medium severity (CVSS 6.3), this v
Kanboard versions prior to 1.2.50 contain a CSRF vulnerability in the ProjectPermissionController that accepts text/plai
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today