Vulnerability CVE-2019-7324


Published: 2019-02-04

Description:
app/Core/Paginator.php in Kanboard before 1.2.8 has XSS in pagination sorting.

See advisories in our WLB2 database:
Topic
Author
Date
Low
Kanboard 1.2.7 Cross Site Scripting
Mithat Gogebakan
30.05.2019

Type:

CWE-79

(Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))

Vendor: Kanboard
Product: Kanboard 
Version:
1.2.7
1.2.6
1.2.5
1.2.4
1.2.3
1.2.2
1.2.1
1.2.0
1.1.1
1.1.0
1.0.9
1.0.8
1.0.7
1.0.6
1.0.5
1.0.48
1.0.47
1.0.46
1.0.45
1.0.44
1.0.43
1.0.42
1.0.41
1.0.40
1.0.4
1.0.39
1.0.38
1.0.37
1.0.36
1.0.35
1.0.34
1.0.33
1.0.32
1.0.31
1.0.30
1.0.3
1.0.29
1.0.28
1.0.27
1.0.26
1.0.25
1.0.24
1.0.23
1.0.22
1.0.21
1.0.20
1.0.2
1.0.19
1.0.18
1.0.17
1.0.16
1.0.15
1.0.14
1.0.13
1.0.12
1.0.11
1.0.10
1.0.1
1.0.0

CVSS2 => (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
4.3/10
2.9/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
None
Partial
None

 References:
http://packetstormsecurity.com/files/153093/Kanboard-1.2.7-Cross-Site-Scripting.html
http://seclists.org/fulldisclosure/2019/May/41
https://github.com/kanboard/kanboard/commit/83deec2e3621c40d15a06e2491f27571d32fe10f
https://github.com/kanboard/kanboard/releases/tag/v1.2.8

Related CVE
CVE-2017-15210
In Kanboard before 1.0.47, by altering form data, an authenticated user can see thumbnails of pictures from a private project of another user.
CVE-2017-15211
In Kanboard before 1.0.47, by altering form data, an authenticated user can add an external link to a private project of another user.
CVE-2017-15212
In Kanboard before 1.0.47, by altering form data, an authenticated user can at least see the names of tags of a private project of another user.
CVE-2017-15208
In Kanboard before 1.0.47, by altering form data, an authenticated user can remove automatic actions from a private project of another user.
CVE-2017-15209
In Kanboard before 1.0.47, by altering form data, an authenticated user can remove attachments from a private project of another user.
CVE-2017-15207
In Kanboard before 1.0.47, by altering form data, an authenticated user can edit tasks of a private project of another user.
CVE-2017-15204
In Kanboard before 1.0.47, by altering form data, an authenticated user can add automatic actions to a private project of another user.
CVE-2017-15205
In Kanboard before 1.0.47, by altering form data, an authenticated user can download attachments from a private project of another user.

Copyright 2019, cxsecurity.com

 

Back to Top