Xet7

**Name of the Vulnerable Software and Affected Versions** WeKan versões anteriores a 8.35 **Description** Verificações de autorização insuficientes nos manipuladores REST JsonRoutes dos endpoints da API REST de Integração permitem que membros autenticados do quadro realizem ações administrativas sem a devida verificação de privilégios. Isso permite a enumeração de integrações, incluindo URLs de webhook, bem como a criação, modificação ou exclusão de integrações e o gerenciamento de atividades de integração. **Recommendations** Atualize para a versão 8.35 ou posterior.

**Name of the Vulnerable Software and Affected Versions** WeKan versões anteriores a 8.35 **Description** Existe um problema no processamento de URLs de integração de webhook onde o campo `url schema` aceita qualquer string sem restrição de protocolo ou validação de destino. Isso permite que usuários com permissões para criar ou modificar integrações definam URLs de webhook para endereços de rede interna. Consequentemente, o servidor pode emitir requisições HTTP POST para alvos internos com payloads completos de eventos do quadro. Além disso, o processamento de respostas pode ser explorado para sobrescrever textos de comentários arbitrários sem verificações de autorização. Server-side request forgery é uma falha que permite a um invasor induzir a aplicação do lado do servidor a fazer requisições para um local não pretendido. **Recommendations** Atualize para a versão 8.35 ou posterior.

**Name of the Vulnerable Software and Affected Versions** Wekan versions 8.31.0 through 8.33 **Description** Wekan is an open source kanban tool. In affected versions, the board composite publication publishes all integration data for a board without field filtering, exposing sensitive information like webhook URLs and authentication tokens to any subscriber. Board publications are accessible to all board members, regardless of their role, and even to unauthenticated DDP clients for public boards. This allows any user with board access to retrieve webhook credentials. This token leak enables attackers to make unauthenticated requests to exposed webhooks, potentially triggering unauthorized actions in connected external services. The issue involves the publication of sensitive data without proper access controls. **Recommendations** Upgrade to version 8.34 or later to address this issue.

**Name of the Vulnerable Software and Affected Versions** Wekan versions 8.31.0 through 8.33 **Description** Wekan is an open source kanban tool built with Meteor. The `globalwebhooks` publication exposes all global webhook integrations—including sensitive `url` and `token` fields—without performing any authentication check on the server side. Although the subscription is normally invoked from the admin settings page, the server-side publication has no access control, meaning any DDP client, including unauthenticated ones, can subscribe and receive the data. This allows an unauthenticated attacker to retrieve global webhook URLs and authentication tokens, potentially enabling unauthorized use of those webhooks and access to connected external services. **Recommendations** Wekan versions 8.31.0 through 8.33 should be updated to version 8.34.

**Name of the Vulnerable Software and Affected Versions** Wekan versions 8.31.0 through 8.33 **Description** Wekan is an open source kanban tool built with Meteor. The `notificationUsers` publication in Wekan publishes user documents without filtering fields. This causes the `ReactiveCache.getUsers()` call to return all fields, including sensitive data such as bcrypt password hashes, active session login tokens, email verification tokens, full email addresses, and stored OAuth tokens. Custom publications return all cursor fields, meaning all subscribers receive complete user documents. Any authenticated user triggering this publication can collect credentials and session tokens for other users, potentially enabling password cracking, session hijacking, and account takeover. **Recommendations** Update to version 8.34 or later.

**Name of the Vulnerable Software and Affected Versions** Wekan versions 8.32 through 8.33 **Description** Wekan is an open-source kanban tool built with Meteor. Versions 8.32 and 8.33 contain a critical Insecure Direct Object Reference (IDOR) issue. This allows unauthorized users to modify custom fields across different boards through custom fields update endpoints, potentially leading to unauthorized data manipulation. The `/api/boards/:boardId/custom-fields/:customFieldId` API endpoint validates user access to the specified `boardId`, but the subsequent database update uses only the custom field’s ` id` as a filter without verifying that the field actually belongs to that board. An attacker who owns any board can modify custom fields on any other board by providing a foreign custom field ID. This flaw also exists in the POST, PUT, and DELETE endpoints for dropdown items under custom fields. Required custom field IDs can be obtained by exporting a board, which only requires read access, as the exported JSON includes the IDs of all board components. The authorization check is performed against the incorrect resource, enabling cross-board custom field manipulation. **Recommendations** Wekan version 8.34 contains a fix for this vulnerability. Update to version 8.34 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Wekan versions 8.32 through 8.33 **Description** Wekan, an open-source kanban tool built with Meteor, has an issue where the server directly fetches attachment URLs during board import without proper validation or filtering. This affects both Wekan and Trello import flows. The `parseActivities()` and `parseActions()` methods extract user-controlled attachment URLs and pass them to `Attachments.load()` for download without sanitization. This allows authenticated users to make arbitrary HTTP requests from the server, potentially accessing internal network services like cloud instance metadata endpoints (exposing IAM credentials), internal databases, and admin panels. **Recommendations** Wekan versions 8.32 and 8.33 should be updated to version 8.34.

**Name of the Vulnerable Software and Affected Versions** WeKan versions prior to 8.21 **Description** A flaw exists in WeKan related to missing authorization within the Position-History Tracking component, specifically in the file server/methods/positionHistory.js. This issue allows for remote manipulation, potentially leading to unauthorized access. **Recommendations** Upgrade to version 8.21 or later to resolve this issue.

**Name of the Vulnerable Software and Affected Versions** Wekan versions up to 8.20 **Description** A security issue has been identified in Wekan related to improper authorization. This occurs due to manipulation of the `item.cardId`, `item.checklistId`, or `card.boardId` arguments within the `setBoardOrgs` function located in the `models/boards.js` file of the REST API component. The attack can be launched remotely and is considered difficult to exploit due to its high complexity. **Recommendations** Upgrade to version 8.21 to resolve this issue.

**Name of the Vulnerable Software and Affected Versions** Wekan versions up to 8.20 **Description** A security issue exists in Wekan’s REST API component, specifically within the file `models/checklistItems.js`. Manipulation of the arguments `item.cardId`, `item.checklistId`, and `card.boardId` can lead to improper authorization. Remote exploitation is possible. **Recommendations** Upgrade to version 8.21.