REST API falsely updates Project Category without necessary permissions

panel:bgColor=e7f4fa NOTE: This is for JIRA Server and JIRA Data Center . panel h3. Issue Summary A User with Project Administrator permissions is able to update the Project Category via REST API. But in the Jira UI only a Jira Administrator is allowed to update the Project Category. h3. Steps to...

CVE-2017-15198

In Kanboard before 1.0.47, by altering form data, an authenticated user can edit a category of a private project of another user...

CVE-2017-15198

In Kanboard before 1.0.47, by altering form data, an authenticated user can edit a category of a private project of another user...

CVE-2017-15198

In Kanboard before 1.0.47, by altering form data, an authenticated user can edit a category of a private project of another user...

CVE-2017-15198

CVE-2017-15198 affects Kanboard prior to 1.0.47. An authenticated user can alter form data to edit a category of another user’s private project, exposing an authorization weakness in the category-edit flow. The issue is documented across multiple sources (Red Hat, NVD, CVE List, Debian tracker) a...