[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] Kanboard 1.2.7 Multiple Vulnerabilities

To: "fulldisclosure@xxxxxxxxxxxx" <fulldisclosure@xxxxxxxxxxxx>
Subject: [FD] Kanboard 1.2.7 Multiple Vulnerabilities
From: Will Boucher via Fulldisclosure <fulldisclosure@xxxxxxxxxxxx>
Date: Mon, 18 Feb 2019 21:45:05 +0000

Kanboard 1.2.7 Multiple Vulnerabilities

Kanboard 1.2.7 contains multiple vulnerabilities. The vulnerabilities include 
CSV account import cross site request forgery which allows an unauthenticated 
attacker to create a new administrative user. Cross site request forgery 2FA 
deactivation, allowing an unauthenticated attacker to disable an account's 2FA 
configuration. A lack of integrity checking or transport layer encryption 
enforced on plugins enables remote code execution by a malicious admin. Other 
vulnerabilities include: session privilege retention, 2FA bypass, database 
user_id and pre-2FA information disclosure.

Full Advisory URL : https://pulsesecurity.co.nz/advisories/Kanboard

--
Will Boucher
Security Consultant
Pulse Security
www.PulseSecurity.co.nz


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Prev by Date: [FD] Multiple issues in Teracue ENC-400 including pre-authenticated remote code execution
Next by Date: [FD] CVE-2019-8939: XSS in Tautulli
Previous by thread: [FD] Multiple issues in Teracue ENC-400 including pre-authenticated remote code execution
Next by thread: [FD] CVE-2019-8939: XSS in Tautulli
Index(es):
- Date
- Thread