Wekan
Monthly
Wekan is an open source kanban tool built with Meteor. [CVSS 6.5 MEDIUM]
Wekan versions 8.31.0 through 8.33 expose global webhook configurations including sensitive URLs and authentication tokens through an unauthenticated server-side publication, allowing any network-based attacker to retrieve webhook credentials without authentication. An attacker exploiting this vulnerability could hijack webhook integrations and gain unauthorized access to connected external services. The vulnerability has been patched in version 8.34.
Wekan versions 8.31.0 through 8.33 expose webhook URLs and authentication tokens to all board members through unfiltered publication of integration data, allowing any user with board access—including read-only members and users on public boards—to retrieve sensitive credentials. Attackers can leverage these exposed tokens to make unauthorized requests to connected external services and trigger unintended actions. The vulnerability affects Wekan's board composite publication mechanism and has been patched in version 8.34.
Server-Side Request Forgery in Wekan 8.32-8.33 allows authenticated users to force the server to make arbitrary HTTP requests by supplying malicious attachment URLs during board imports from JSON data or Trello. An attacker could exploit this to access internal network services, cloud metadata endpoints, or expose sensitive credentials without any URL validation occurring on the server side.
Wekan versions 8.32 and 8.33 allow authenticated users to modify custom fields across any board due to insufficient access validation in the custom fields API endpoints. An attacker with access to one board can exploit this Insecure Direct Object Reference vulnerability to manipulate custom fields on other boards by supplying foreign field IDs. A patch is available to address this authorization bypass.
Wekan versions up to 8.18 contain an authorization bypass in the custom translation handler that allows authenticated users to manipulate translation settings they should not have access to. An attacker with valid credentials can exploit the setCreateTranslation function to gain unauthorized access to modify translations, potentially affecting application functionality and data integrity. The vulnerability has been patched in version 8.19 and users should upgrade immediately.
Wekan versions up to 8.20 contain an authorization bypass in the Rules Handler component that allows authenticated remote attackers to access unauthorized information through the rules.js file. The vulnerability requires valid credentials but no user interaction, enabling low-impact confidentiality breaches. Upgrading to version 8.21 resolves this issue.
WeKan versions up to 8.20 contain an information disclosure vulnerability in the Activity Publication Handler that allows unauthenticated remote attackers to access sensitive data through manipulation of the activities.js file. The vulnerability requires no user interaction and can be exploited over the network with low complexity. Users should upgrade to version 8.21 or apply patch 91a936e07d2976d4246dfe834281c3aaa87f9503 to remediate this issue.
Improper access controls in WeKan's administrative repair handler (fixDuplicateLists.js) allow authenticated remote attackers to manipulate list data and gain unauthorized access to sensitive information. Affected versions through 8.20 can be remediated by upgrading to version 8.21 or applying the referenced patch.
WeKan versions up to 8.20 contain an information disclosure vulnerability in the Meteor Publication Handler's card publication mechanism that allows authenticated remote attackers to access sensitive data. The vulnerability requires valid credentials but no user interaction to exploit, and is resolved in version 8.21.
Wekan before version 8.20 fails to properly validate user permissions on migration functions, allowing authenticated non-admin users to execute unauthorized migration operations. This vulnerability affects any Wekan deployment and could be exploited by low-privileged users to compromise data integrity or availability. A patch is available.
Wekan versions before 8.19 fail to properly enforce the allowPrivateOnly configuration setting during board creation, allowing authenticated users to create public boards when only private boards should be permitted. This authorization bypass enables users to circumvent intended access control policies and expose board data beyond the intended scope. A patch is available for affected installations.
Wekan versions up to 8.19 is affected by authorization bypass through user-controlled key (CVSS 4.3).
WeKan versions prior to 8.19 contain an authorization vulnerability in card move logic. [CVSS 5.4 MEDIUM]
Wekan prior to version 8.19 improperly validates permissions on card update API endpoints, checking only read access instead of requiring write permissions. This allows read-only users to modify cards they should not be able to edit. A patch is available to address this authorization bypass.
Wekan versions up to 8.19 is affected by authorization bypass through user-controlled key (CVSS 7.5).
Wekan versions up to 8.19 is affected by authorization bypass through user-controlled key (CVSS 7.5).
Wekan versions before 8.19 fail to properly restrict attachment metadata visibility, allowing authenticated users to enumerate attachment information from boards and cards they should not have access to. This information disclosure vulnerability requires valid credentials and can expose sensitive metadata to unauthorized users across the platform. A patch is available.
WeKan versions prior to 8.19 contain an authorization weakness in the attachment upload API. [CVSS 7.5 HIGH]
WeKan (open-source kanban) prior to 8.19 has an LDAP filter injection vulnerability enabling authentication bypass through crafted LDAP login attempts.
Improper access controls in Wekan's REST API endpoint (models/boards.js) prior to version 8.21 allow authenticated users to modify resources they should not have permission to access. The vulnerability requires valid credentials but no user interaction, making it exploitable by any authenticated attacker with network access. Administrators should upgrade to version 8.21 or later to remediate this issue.
Improper access controls in Wekan's attachment storage mechanism (models/attachments.js) up to version 8.20 allow authenticated remote attackers to gain unauthorized access to sensitive data and modify attachments. An attacker with valid credentials can exploit this vulnerability to read, modify, or delete attachments they should not have permission to access. Upgrading to version 8.21 or later resolves this issue.
Improper access controls in Wekan's attachment migration component allow authenticated remote attackers to read, modify, or disrupt service functionality. The vulnerability affects Wekan versions up to 8.20 and requires valid user credentials to exploit. Users should upgrade to version 8.21 or later to remediate this issue.
Improper access controls in WeKan's LDAP user synchronization component (versions up to 8.20) allow authenticated remote attackers to gain unauthorized access to sensitive information or modify data with low complexity. The vulnerability affects the LDAP User Sync functionality in packages/wekan-ldap/server/syncUser.js and requires valid credentials to exploit. WeKan 8.21 and later address this issue and should be deployed immediately.
WeKan versions up to 8.20 contain an authorization bypass in the position history tracking functionality that allows authenticated remote attackers to access sensitive information without proper permissions. The vulnerability exists in the server/methods/positionHistory.js file and can be exploited by any user with login credentials. Upgrading to version 8.21 or later resolves this issue.
Improper access control in Wekan's board migration function allows authenticated remote attackers to manipulate the boardId parameter and gain unauthorized access to sensitive data or modify board information. Wekan versions up to 8.20 are affected, and administrators should upgrade to version 8.21 or later to remediate this vulnerability.
Wekan versions up to 8.20. contains a vulnerability that allows attackers to improper access controls (CVSS 6.3).
Improper authorization in WeKan's REST API (versions up to 8.20) allows authenticated users to manipulate checklist item parameters and gain unauthorized access to resources across different boards and checklists. An attacker with valid credentials can exploit this vulnerability to read or modify data they should not have access to. The vulnerability has been patched in version 8.21 and users should upgrade immediately.
Improper authorization in WeKan's REST API setBoardOrgs function (versions up to 8.20) allows authenticated attackers to manipulate cardId, checklistId, and boardId parameters to gain unauthorized access to sensitive board information. The vulnerability requires local network access and high attack complexity, limiting its practical exploitation. A patch is available in version 8.21 and should be applied to all affected deployments.
Wekan is an open source kanban tool built with Meteor. [CVSS 6.5 MEDIUM]
Wekan versions 8.31.0 through 8.33 expose global webhook configurations including sensitive URLs and authentication tokens through an unauthenticated server-side publication, allowing any network-based attacker to retrieve webhook credentials without authentication. An attacker exploiting this vulnerability could hijack webhook integrations and gain unauthorized access to connected external services. The vulnerability has been patched in version 8.34.
Wekan versions 8.31.0 through 8.33 expose webhook URLs and authentication tokens to all board members through unfiltered publication of integration data, allowing any user with board access—including read-only members and users on public boards—to retrieve sensitive credentials. Attackers can leverage these exposed tokens to make unauthorized requests to connected external services and trigger unintended actions. The vulnerability affects Wekan's board composite publication mechanism and has been patched in version 8.34.
Server-Side Request Forgery in Wekan 8.32-8.33 allows authenticated users to force the server to make arbitrary HTTP requests by supplying malicious attachment URLs during board imports from JSON data or Trello. An attacker could exploit this to access internal network services, cloud metadata endpoints, or expose sensitive credentials without any URL validation occurring on the server side.
Wekan versions 8.32 and 8.33 allow authenticated users to modify custom fields across any board due to insufficient access validation in the custom fields API endpoints. An attacker with access to one board can exploit this Insecure Direct Object Reference vulnerability to manipulate custom fields on other boards by supplying foreign field IDs. A patch is available to address this authorization bypass.
Wekan versions up to 8.18 contain an authorization bypass in the custom translation handler that allows authenticated users to manipulate translation settings they should not have access to. An attacker with valid credentials can exploit the setCreateTranslation function to gain unauthorized access to modify translations, potentially affecting application functionality and data integrity. The vulnerability has been patched in version 8.19 and users should upgrade immediately.
Wekan versions up to 8.20 contain an authorization bypass in the Rules Handler component that allows authenticated remote attackers to access unauthorized information through the rules.js file. The vulnerability requires valid credentials but no user interaction, enabling low-impact confidentiality breaches. Upgrading to version 8.21 resolves this issue.
WeKan versions up to 8.20 contain an information disclosure vulnerability in the Activity Publication Handler that allows unauthenticated remote attackers to access sensitive data through manipulation of the activities.js file. The vulnerability requires no user interaction and can be exploited over the network with low complexity. Users should upgrade to version 8.21 or apply patch 91a936e07d2976d4246dfe834281c3aaa87f9503 to remediate this issue.
Improper access controls in WeKan's administrative repair handler (fixDuplicateLists.js) allow authenticated remote attackers to manipulate list data and gain unauthorized access to sensitive information. Affected versions through 8.20 can be remediated by upgrading to version 8.21 or applying the referenced patch.
WeKan versions up to 8.20 contain an information disclosure vulnerability in the Meteor Publication Handler's card publication mechanism that allows authenticated remote attackers to access sensitive data. The vulnerability requires valid credentials but no user interaction to exploit, and is resolved in version 8.21.
Wekan before version 8.20 fails to properly validate user permissions on migration functions, allowing authenticated non-admin users to execute unauthorized migration operations. This vulnerability affects any Wekan deployment and could be exploited by low-privileged users to compromise data integrity or availability. A patch is available.
Wekan versions before 8.19 fail to properly enforce the allowPrivateOnly configuration setting during board creation, allowing authenticated users to create public boards when only private boards should be permitted. This authorization bypass enables users to circumvent intended access control policies and expose board data beyond the intended scope. A patch is available for affected installations.
Wekan versions up to 8.19 is affected by authorization bypass through user-controlled key (CVSS 4.3).
WeKan versions prior to 8.19 contain an authorization vulnerability in card move logic. [CVSS 5.4 MEDIUM]
Wekan prior to version 8.19 improperly validates permissions on card update API endpoints, checking only read access instead of requiring write permissions. This allows read-only users to modify cards they should not be able to edit. A patch is available to address this authorization bypass.
Wekan versions up to 8.19 is affected by authorization bypass through user-controlled key (CVSS 7.5).
Wekan versions up to 8.19 is affected by authorization bypass through user-controlled key (CVSS 7.5).
Wekan versions before 8.19 fail to properly restrict attachment metadata visibility, allowing authenticated users to enumerate attachment information from boards and cards they should not have access to. This information disclosure vulnerability requires valid credentials and can expose sensitive metadata to unauthorized users across the platform. A patch is available.
WeKan versions prior to 8.19 contain an authorization weakness in the attachment upload API. [CVSS 7.5 HIGH]
WeKan (open-source kanban) prior to 8.19 has an LDAP filter injection vulnerability enabling authentication bypass through crafted LDAP login attempts.
Improper access controls in Wekan's REST API endpoint (models/boards.js) prior to version 8.21 allow authenticated users to modify resources they should not have permission to access. The vulnerability requires valid credentials but no user interaction, making it exploitable by any authenticated attacker with network access. Administrators should upgrade to version 8.21 or later to remediate this issue.
Improper access controls in Wekan's attachment storage mechanism (models/attachments.js) up to version 8.20 allow authenticated remote attackers to gain unauthorized access to sensitive data and modify attachments. An attacker with valid credentials can exploit this vulnerability to read, modify, or delete attachments they should not have permission to access. Upgrading to version 8.21 or later resolves this issue.
Improper access controls in Wekan's attachment migration component allow authenticated remote attackers to read, modify, or disrupt service functionality. The vulnerability affects Wekan versions up to 8.20 and requires valid user credentials to exploit. Users should upgrade to version 8.21 or later to remediate this issue.
Improper access controls in WeKan's LDAP user synchronization component (versions up to 8.20) allow authenticated remote attackers to gain unauthorized access to sensitive information or modify data with low complexity. The vulnerability affects the LDAP User Sync functionality in packages/wekan-ldap/server/syncUser.js and requires valid credentials to exploit. WeKan 8.21 and later address this issue and should be deployed immediately.
WeKan versions up to 8.20 contain an authorization bypass in the position history tracking functionality that allows authenticated remote attackers to access sensitive information without proper permissions. The vulnerability exists in the server/methods/positionHistory.js file and can be exploited by any user with login credentials. Upgrading to version 8.21 or later resolves this issue.
Improper access control in Wekan's board migration function allows authenticated remote attackers to manipulate the boardId parameter and gain unauthorized access to sensitive data or modify board information. Wekan versions up to 8.20 are affected, and administrators should upgrade to version 8.21 or later to remediate this vulnerability.
Wekan versions up to 8.20. contains a vulnerability that allows attackers to improper access controls (CVSS 6.3).
Improper authorization in WeKan's REST API (versions up to 8.20) allows authenticated users to manipulate checklist item parameters and gain unauthorized access to resources across different boards and checklists. An attacker with valid credentials can exploit this vulnerability to read or modify data they should not have access to. The vulnerability has been patched in version 8.21 and users should upgrade immediately.
Improper authorization in WeKan's REST API setBoardOrgs function (versions up to 8.20) allows authenticated attackers to manipulate cardId, checklistId, and boardId parameters to gain unauthorized access to sensitive board information. The vulnerability requires local network access and high attack complexity, limiting its practical exploitation. A patch is available in version 8.21 and should be applied to all affected deployments.