WeKan versions prior to 8.19 contain an authorization weakness in the attachment upload API. The API does not fully validate that provided identifiers (such as boardId, cardId, swimlaneId, and listId) are consistent and refer to a coherent card/board relationship, enabling attempts to upload attachments with mismatched object relationships.
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XWekan Project Wekan
APPWekan Project< 8.19
Related vulnerabilities
SSRF w Wekan — nieautoryzowany dostęp do wewnętrznych zasobów sieciowych
Wekan: ujawnienie wrażliwych danych użytkowników przez publikację notificationUsers
Wekan IDOR: nieautoryzowana modyfikacja pól własnych na tablicach
Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the globalwebhooks pub...
WeKan versions prior to 8.19 contain an authorization vulnerability where certain card update API paths valida...