-
|
Megableed |
2025-12-26 18:39 EET |
Joshua Rogers of Aisle Research
Did send detailed report!
|
- 1. IDOR in setCreateTranslation. Non-admin could change Custom Translation
- 2. Private-only board setting can be bypassed
- 3. Card comment author spoofing (IDOR) via API
- 4. Cross-board card move without destination authorization
- 5. Read-only roles can still update cards
- 6. Checklist delete IDOR: checklist not verified against board/card
- 7. Checklist create IDOR: cardId not verified against boardId
- 8. Attachments publication leaks metadata without auth
- 9. Attachment upload not scoped to card/board relationship
- 10. LDAP filter injection in LDAP auth
- Affected Wekan v8.18
- Fixed at Wekan v8.19 2025-12-29
|
