[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] Kanboard 1.2.7 Multiple Vulnerabilities
From: Will Boucher via Fulldisclosure <fulldisclosure () seclists ! org>
Date: 2019-02-18 21:45:05
Message-ID: SY3PR01MB1338AF0B6A5621BF80697382DF630 () SY3PR01MB1338 ! ausprd01 ! prod ! outlook ! com
[Download RAW message or body]
Kanboard 1.2.7 Multiple Vulnerabilities
Kanboard 1.2.7 contains multiple vulnerabilities. The vulnerabilities include CSV account \
import cross site request forgery which allows an unauthenticated attacker to create a new \
administrative user. Cross site request forgery 2FA deactivation, allowing an unauthenticated \
attacker to disable an account's 2FA configuration. A lack of integrity checking or transport \
layer encryption enforced on plugins enables remote code execution by a malicious admin. Other \
vulnerabilities include: session privilege retention, 2FA bypass, database user_id and pre-2FA \
information disclosure.
Full Advisory URL : https://pulsesecurity.co.nz/advisories/Kanboard
--
Will Boucher
Security Consultant
Pulse Security
www.PulseSecurity.co.nz
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic