SB2017101130 - Multiple vulnerabilities in Kanboard
Published: October 11, 2017 Updated: August 8, 2020
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 18 secuirty vulnerabilities.
1) Input validation error (CVE-ID: CVE-2017-15208)
The vulnerability allows a remote authenticated user to manipulate data.
In Kanboard before 1.0.47, by altering form data, an authenticated user can remove automatic actions from a private project of another user.
2) Input validation error (CVE-ID: CVE-2017-15209)
The vulnerability allows a remote authenticated user to manipulate data.
In Kanboard before 1.0.47, by altering form data, an authenticated user can remove attachments from a private project of another user.
3) Information disclosure (CVE-ID: CVE-2017-15210)
The vulnerability allows a remote authenticated user to gain access to sensitive information.
In Kanboard before 1.0.47, by altering form data, an authenticated user can see thumbnails of pictures from a private project of another user.
4) Input validation error (CVE-ID: CVE-2017-15211)
The vulnerability allows a remote authenticated user to manipulate data.
In Kanboard before 1.0.47, by altering form data, an authenticated user can add an external link to a private project of another user.
5) Information disclosure (CVE-ID: CVE-2017-15212)
The vulnerability allows a remote authenticated user to gain access to sensitive information.
In Kanboard before 1.0.47, by altering form data, an authenticated user can at least see the names of tags of a private project of another user.
6) Input validation error (CVE-ID: CVE-2017-15195)
The vulnerability allows a remote authenticated user to manipulate data.
In Kanboard before 1.0.47, by altering form data, an authenticated user can edit swimlanes of a private project of another user.
7) Input validation error (CVE-ID: CVE-2017-15196)
The vulnerability allows a remote authenticated user to manipulate data.
In Kanboard before 1.0.47, by altering form data, an authenticated user can remove columns from a private project of another user.
8) Input validation error (CVE-ID: CVE-2017-15197)
The vulnerability allows a remote authenticated user to manipulate data.
In Kanboard before 1.0.47, by altering form data, an authenticated user can add a new category to a private project of another user.
9) Information disclosure (CVE-ID: CVE-2017-15198)
The vulnerability allows a remote authenticated user to manipulate data.
In Kanboard before 1.0.47, by altering form data, an authenticated user can edit a category of a private project of another user.
10) Input validation error (CVE-ID: CVE-2017-15199)
The vulnerability allows a remote authenticated user to manipulate data.
In Kanboard before 1.0.47, by altering form data, an authenticated user can edit metadata of a private project of another user, as demonstrated by Name, Email, Identifier, and Description.
11) Input validation error (CVE-ID: CVE-2017-15200)
The vulnerability allows a remote authenticated user to manipulate data.
In Kanboard before 1.0.47, by altering form data, an authenticated user can add a new task to a private project of another user.
12) Input validation error (CVE-ID: CVE-2017-15201)
The vulnerability allows a remote authenticated user to manipulate data.
In Kanboard before 1.0.47, by altering form data, an authenticated user can edit tags of a private project of another user.
13) Input validation error (CVE-ID: CVE-2017-15202)
The vulnerability allows a remote authenticated user to manipulate data.
In Kanboard before 1.0.47, by altering form data, an authenticated user can edit columns of a private project of another user.
14) Input validation error (CVE-ID: CVE-2017-15203)
The vulnerability allows a remote authenticated user to manipulate data.
In Kanboard before 1.0.47, by altering form data, an authenticated user can remove categories from a private project of another user.
15) Input validation error (CVE-ID: CVE-2017-15204)
The vulnerability allows a remote authenticated user to manipulate data.
In Kanboard before 1.0.47, by altering form data, an authenticated user can add automatic actions to a private project of another user.
16) Information disclosure (CVE-ID: CVE-2017-15205)
The vulnerability allows a remote authenticated user to gain access to sensitive information.
In Kanboard before 1.0.47, by altering form data, an authenticated user can download attachments from a private project of another user.
17) Input validation error (CVE-ID: CVE-2017-15206)
The vulnerability allows a remote authenticated user to manipulate data.
In Kanboard before 1.0.47, by altering form data, an authenticated user can add an internal link to a private project of another user.
18) Input validation error (CVE-ID: CVE-2017-15207)
The vulnerability allows a remote authenticated user to manipulate data.
In Kanboard before 1.0.47, by altering form data, an authenticated user can edit tasks of a private project of another user.
Remediation
Install update from vendor's website.
References
- http://openwall.com/lists/oss-security/2017/10/04/9
- https://github.com/kanboard/kanboard/commit/074f6c104f3e49401ef0065540338fc2d4be79f0
- https://github.com/kanboard/kanboard/commit/3e0f14ae2b0b5a44bd038a472f17eac75f538524
- https://kanboard.net/news/version-1.0.47
- https://github.com/kanboard/kanboard/commit/7100f6de8a1f566e260b3e65312767e4cde112b1