Package: kanboard X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security
Hi, The following vulnerability was published for kanboard. CVE-2024-36399[0]: | Kanboard is project management software that focuses on the Kanban | methodology. The vuln is in | app/Controller/ProjectPermissionController.php function addUser(). | The users permission to add users to a project only get checked on | the URL parameter project_id. If the user is authorized to add users | to this project the request gets processed. The users permission for | the POST BODY parameter project_id does not get checked again while | processing. An attacker with the 'Project Manager' on a single | project may take over any other project. The vulnerability is fixed | in 1.2.37. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-36399 https://www.cve.org/CVERecord?id=CVE-2024-36399 Please adjust the affected versions in the BTS as needed.
