Vulnerability CVE-2017-15210


Published: 2017-10-10   Modified: 2017-10-11

Description:
In Kanboard before 1.0.47, by altering form data, an authenticated user can see thumbnails of pictures from a private project of another user.

Vendor: Kanboard
Product: Kanboard 
Version:
1.0.9
1.0.8
1.0.7
1.0.6
1.0.5
1.0.46
1.0.45
1.0.44
1.0.43
1.0.42
1.0.41
1.0.40
1.0.4
1.0.39
1.0.38
1.0.37
1.0.36
1.0.35
1.0.34
1.0.33
1.0.32
1.0.31
1.0.30
1.0.3
1.0.29
1.0.28
1.0.27
1.0.26
1.0.25
1.0.24
1.0.23
1.0.22
1.0.21
1.0.20
1.0.2
1.0.19
1.0.18
1.0.17
1.0.16
1.0.15
1.0.14
1.0.13
1.0.12
1.0.11
1.0.10
1.0.1
1.0.0

CVSS2 => (AV:N/AC:L/Au:S/C:P/I:N/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
4/10
2.9/10
8/10
Exploit range
Attack complexity
Authentication
Remote
Low
Single time
Confidentiality impact
Integrity impact
Availability impact
Partial
None
None

 References:
http://openwall.com/lists/oss-security/2017/10/04/9
https://github.com/kanboard/kanboard/commit/7100f6de8a1f566e260b3e65312767e4cde112b1
https://kanboard.net/news/version-1.0.47

Related CVE
CVE-2019-7324
app/Core/Paginator.php in Kanboard before 1.2.8 has XSS in pagination sorting.
CVE-2017-15211
In Kanboard before 1.0.47, by altering form data, an authenticated user can add an external link to a private project of another user.
CVE-2017-15212
In Kanboard before 1.0.47, by altering form data, an authenticated user can at least see the names of tags of a private project of another user.
CVE-2017-15208
In Kanboard before 1.0.47, by altering form data, an authenticated user can remove automatic actions from a private project of another user.
CVE-2017-15209
In Kanboard before 1.0.47, by altering form data, an authenticated user can remove attachments from a private project of another user.
CVE-2017-15207
In Kanboard before 1.0.47, by altering form data, an authenticated user can edit tasks of a private project of another user.
CVE-2017-15204
In Kanboard before 1.0.47, by altering form data, an authenticated user can add automatic actions to a private project of another user.
CVE-2017-15205
In Kanboard before 1.0.47, by altering form data, an authenticated user can download attachments from a private project of another user.

Copyright 2019, cxsecurity.com

 

Back to Top