Skip to main content

Kanboard CVE-2024-51747

HIGH
Path Traversal (CWE-22)
2024-11-11 security-advisories@github.com
7.2
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.2 HIGH
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Nov 11, 2024 - 20:15 nvd
HIGH 7.2

DescriptionNVD

Kanboard is project management software that focuses on the Kanban methodology. An authenticated Kanboard admin can read and delete arbitrary files from the server. File attachments, that are viewable or downloadable in Kanboard are resolved through its path entry in the project_has_files SQLite db. Thus, an attacker who can upload a modified sqlite.db through the dedicated feature, can set arbitrary file links, by abusing path traversals. Once the modified db is uploaded and the project page is accessed, a file download can be triggered and all files, readable in the context of the Kanboard application permissions, can be downloaded. This issue has been addressed in version 1.2.42 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

AnalysisAI

Kanboard is project management software that focuses on the Kanban methodology. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified as Path Traversal (CWE-22), which allows attackers to access files and directories outside the intended path. Kanboard is project management software that focuses on the Kanban methodology. An authenticated Kanboard admin can read and delete arbitrary files from the server. File attachments, that are viewable or downloadable in Kanboard are resolved through its path entry in the project_has_files SQLite db. Thus, an attacker who can upload a modified sqlite.db through the dedicated feature, can set arbitrary file links, by abusing path traversals. Once the modified db is uploaded and the project page is accessed, a file download can be triggered and all files, readable in the context of the Kanboard application permissions, can be downloaded. This issue has been addressed in version 1.2.42 and all users are advised to upgrade. There are no known workarounds for this vulnerability. Affected products include: Kanboard. Version information: version 1.2.42.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Validate and canonicalize file paths. Use chroot or sandboxing. Reject input containing path separators or '../' sequences.

CVE-2026-21881 CRITICAL POC
9.1 Jan 08

Kanboard project management (through 1.2.48) has an authentication bypass when REVERSE_PROXY_AUTH is enabled. The applic

CVE-2023-36813 HIGH POC
8.8 Jul 05

Kanboard is project management software that focuses on the Kanban methodology. Rated high severity (CVSS 8.8), this vul

CVE-2026-25924 HIGH POC
8.4 Feb 11

Remote code execution in Kanboard prior to 1.2.50 allows authenticated administrators to bypass plugin installation rest

CVE-2025-52560 HIGH POC
8.1 Jun 24

Kanboard prior to version 1.2.46 contains a host header injection vulnerability that allows unauthenticated attackers to

CVE-2026-58660 HIGH POC
7.2 Jul 15

Broken object-level authorization in Kanboard through 1.2.52 lets any authenticated user who belongs to at least one pro

CVE-2024-51748 HIGH POC
7.2 Nov 11

Kanboard is project management software that focuses on the Kanban methodology. Rated high severity (CVSS 7.2), this vul

CVE-2014-3920 MEDIUM POC
6.8 Jul 03

Cross-site request forgery (CSRF) vulnerability in Kanboard before 1.0.6 allows remote attackers to hijack the authentic

CVE-2024-55603 MEDIUM POC
6.5 Dec 19

Kanboard is project management software that focuses on the Kanban methodology. Rated medium severity (CVSS 6.5), this v

CVE-2023-33970 MEDIUM POC
6.5 Jun 05

Kanboard is open source project management software that focuses on the Kanban methodology. Rated medium severity (CVSS

CVE-2023-33956 MEDIUM POC
6.5 Jun 05

Kanboard is open source project management software that focuses on the Kanban methodology. Rated medium severity (CVSS

CVE-2024-36399 MEDIUM POC
6.3 Jun 06

Kanboard is project management software that focuses on the Kanban methodology. Rated medium severity (CVSS 6.3), this v

CVE-2026-24885 MEDIUM POC
5.7 Feb 10

Kanboard versions prior to 1.2.50 contain a CSRF vulnerability in the ProjectPermissionController that accepts text/plai

Share

CVE-2024-51747 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy