37 matches found
CVE-2019-7324
app/Core/Paginator.php in Kanboard before 1.2.8 has XSS in pagination sorting.
CVE-2024-54001
Kanboard is project management software that focuses on the Kanban methodology. HTML can be injected and stored into the application settings section. The fields application_language, application_date_format,application_timezone and application_time_format allow arbirary user input which is reflect...
CVE-2024-36399
Kanboard is project management software that focuses on the Kanban methodology. The vuln is in app/Controller/ProjectPermissionController.php function addUser(). The users permission to add users to a project only get checked on the URL parameter project_id. If the user is authorized to add users t...
CVE-2017-12850
An authenticated standard user could reset the password of other users (including the admin) by altering form data. Affects kanboard before 1.0.46.
CVE-2023-33956
Kanboard is open source project management software that focuses on the Kanban methodology. Versions prior to 1.2.30 are subject to an Insecure direct object reference (IDOR) vulnerability present in the application's URL parameter. This vulnerability enables any user to read files uploaded by any ...
CVE-2017-15198
In Kanboard before 1.0.47, by altering form data, an authenticated user can edit a category of a private project of another user.
CVE-2017-15196
In Kanboard before 1.0.47, by altering form data, an authenticated user can remove columns from a private project of another user.
CVE-2017-15199
In Kanboard before 1.0.47, by altering form data, an authenticated user can edit metadata of a private project of another user, as demonstrated by Name, Email, Identifier, and Description.
CVE-2017-15208
In Kanboard before 1.0.47, by altering form data, an authenticated user can remove automatic actions from a private project of another user.
CVE-2017-15201
In Kanboard before 1.0.47, by altering form data, an authenticated user can edit tags of a private project of another user.
CVE-2017-15206
In Kanboard before 1.0.47, by altering form data, an authenticated user can add an internal link to a private project of another user.
CVE-2023-32685
Kanboard is project management software that focuses on the Kanban methodology. Due to improper handling of elements under the contentEditable element, maliciously crafted clipboard content can inject arbitrary HTML tags into the DOM. A low-privileged attacker with permission to attach a document o...
CVE-2024-51747
Kanboard is project management software that focuses on the Kanban methodology. An authenticated Kanboard admin can read and delete arbitrary files from the server. File attachments, that are viewable or downloadable in Kanboard are resolved through its path entry in the project_has_files SQLite db...
CVE-2017-12851
An authenticated standard user could reset the password of the admin by altering form data. Affects kanboard before 1.0.46.
CVE-2024-51748
Kanboard is project management software that focuses on the Kanban methodology. An authenticated Kanboard admin can run arbitrary php code on the server in combination with a file write possibility. The user interface language is determined and loaded by the setting application_language in the sett...
CVE-2017-15195
In Kanboard before 1.0.47, by altering form data, an authenticated user can edit swimlanes of a private project of another user.
CVE-2017-15197
In Kanboard before 1.0.47, by altering form data, an authenticated user can add a new category to a private project of another user.
CVE-2023-36813
Kanboard is project management software that focuses on the Kanban methodology. In versions prior to 1.2.31authenticated user is able to perform a SQL Injection, leading to a privilege escalation or loss of confidentiality. It appears that in some insert and update operations, the code improperly u...
CVE-2024-55603
Kanboard is project management software that focuses on the Kanban methodology. In affected versions sessions are still usable even though their lifetime has exceeded. Kanboard implements a cutom session handler (app/Core/Session/SessionHandler.php), to store the session data in a database. Therefo...
CVE-2017-15210
In Kanboard before 1.0.47, by altering form data, an authenticated user can see thumbnails of pictures from a private project of another user.
CVE-2017-15212
In Kanboard before 1.0.47, by altering form data, an authenticated user can at least see the names of tags of a private project of another user.
CVE-2017-15200
In Kanboard before 1.0.47, by altering form data, an authenticated user can add a new task to a private project of another user.
CVE-2017-15205
In Kanboard before 1.0.47, by altering form data, an authenticated user can download attachments from a private project of another user.
CVE-2017-15209
In Kanboard before 1.0.47, by altering form data, an authenticated user can remove attachments from a private project of another user.
CVE-2014-3920
Cross-site request forgery (CSRF) vulnerability in Kanboard before 1.0.6 allows remote attackers to hijack the authentication of administrators for requests that add an administrative user via a save action to the default URI.
CVE-2023-33968
Kanboard is open source project management software that focuses on the Kanban methodology. Versions prior to 1.2.30 are subject to a missing access control vulnerability that allows a user with low privileges to create or transfer tasks to any project within the software, even if they have not bee...
CVE-2017-15202
In Kanboard before 1.0.47, by altering form data, an authenticated user can edit columns of a private project of another user.
CVE-2017-15203
In Kanboard before 1.0.47, by altering form data, an authenticated user can remove categories from a private project of another user.
CVE-2023-33969
Kanboard is open source project management software that focuses on the Kanban methodology. A stored Cross site scripting (XSS) allows an attacker to execute arbitrary Javascript and any user who views the task containing the malicious code will be exposed to the XSS attack. Note: The default CSP h...
CVE-2017-15207
In Kanboard before 1.0.47, by altering form data, an authenticated user can edit tasks of a private project of another user.
CVE-2017-15211
In Kanboard before 1.0.47, by altering form data, an authenticated user can add an external link to a private project of another user.
CVE-2017-15204
In Kanboard before 1.0.47, by altering form data, an authenticated user can add automatic actions to a private project of another user.
CVE-2025-46825
Kanboard is project management software that focuses on the Kanban methodology. Versions 1.2.26 through 1.2.44 have a Stored Cross-Site Scripting (XSS) Vulnerability in the name parameter of the http://localhost/?controller=ProjectCreationController&action=create form. This vulnerability allows att...
CVE-2023-33970
Kanboard is open source project management software that focuses on the Kanban methodology. A vulnerability related to a missing access control was found, which allows a User with the lowest privileges to leak all the tasks and projects titles within the software, even if they are not invited or it...
CVE-2024-22720
Kanboard 1.2.34 is vulnerable to Html Injection in the group management feature.
CVE-2025-52560
Kanboard is project management software that focuses on the Kanban methodology. Prior to version 1.2.46, Kanboard allows password reset emails to be sent with URLs derived from the unvalidated Host header when the application_url configuration is unset (default behavior). This allows an attacker to...
CVE-2025-52576
Kanboard is project management software that focuses on the Kanban methodology. Prior to version 1.2.46, Kanboard is vulnerable to username enumeration and IP spoofing-based brute-force protection bypass. By analyzing login behavior and abusing trusted HTTP headers, an attacker can determine valid ...