Highkolaente

**Name of the Vulnerable Software and Affected Versions** Vikunja versions 0.21.0 through 2.1.9 **Description** Vikunja is a self-hosted task management platform. Versions 0.21.0 through 2.1.9 of the Vikunja Desktop Electron wrapper enable `nodeIntegration` in the renderer process without `contextIsolation` or `sandbox`. This configuration allows any cross-site scripting (XSS) vulnerability in the Vikunja web frontend to potentially lead to full remote code execution on a victim’s machine, as injected scripts gain access to Node.js APIs. **Recommendations** Update to version 2.2.0 or later.

**Name of the Vulnerable Software and Affected Versions** Vikunja versions 0.21.0 through 2.1.9 **Description** Vikunja is a self-hosted task management platform. Versions from 0.21.0 up to, but not including, 2.2.0 improperly handle URLs passed from `window.open()` calls to `shell.openExternal()` within the Desktop Electron wrapper. Specifically, there is a lack of validation or allowlisting of protocols. This allows an attacker to leverage links with `target=" blank"` or similar mechanisms within user-generated content to execute arbitrary URI schemes. This could lead to the invocation of local applications, opening of local files, or triggering of custom protocol handlers on the victim’s operating system. The `shell.openExternal()` function is used to open URLs in the user's default browser or associated application. The `window.open()` function is used to open a new browser window or tab. **Recommendations** Update to Vikunja version 2.2.0 or later.

**Name of the Vulnerable Software and Affected Versions** Vikunja versions 0.18.0 through 2.2.0 **Description** Vikunja is a self-hosted task management platform. When a user account is disabled or locked, the status check is only enforced on the local login and JWT token refresh paths. The API tokens, CalDAV basic authentication, and OpenID Connect authentication paths do not verify user status, allowing disabled or locked users to continue accessing the API and syncing data. The vulnerable authentication paths include the use of API tokens via the `/api/v1/lists` endpoint, CalDAV basic authentication, and OpenID Connect. The `user status` is not verified during authentication via these methods. **Recommendations** Update to version 2.2.1 or later.