Bryanqb07

**Name of the Vulnerable Software and Affected Versions** eLabFTW versions prior to 5.4.2 **Description** The login flow in this open source electronic lab notebook does not reliably preserve the multi-factor authentication state across authentication steps. An attacker possessing valid primary credentials could, under certain conditions, use an attacker-controlled TOTP (Time-based One-Time Password) secret to bypass the additional authentication factor, leading to unauthorized account access. **Recommendations** Update to version 5.4.2.

Name of the Vulnerable Software and Affected Versions: Kanboard versions prior to 1.2.47 Description: Kanboard is project management software based on the Kanban methodology. A deserialization issue in `ProjectEventActvityFormatter` allows administrators to instantiate arbitrary PHP objects by modifying the `event["data"]` field in the `project activities` table. An attacker can update this field to use a PHP gadget to write a web shell into the `/plugins` folder, resulting in remote code execution on the host system. Recommendations: Update Kanboard to version 1.2.47 or later.

Name of the Vulnerable Software and Affected Versions: Kanboard versions prior to 1.2.47 Description: Kanboard is project management software based on the Kanban methodology. Prior to version 1.2.47, the `createTaskFile` method in the API did not validate the `task id` parameter to ensure it was a valid task ID, nor did it check for path traversal. This allowed a malicious actor to write a file to any location on the system controlled by the application user. The impact is limited because the filename is hashed and has no extension. Recommendations: Upgrade to version 1.2.47 or later.

Name of the Vulnerable Software and Affected Versions: Kanboard versions prior to 1.2.46 Description: Kanboard is project management software that focuses on the Kanban methodology. Prior to version 1.2.46, it is vulnerable to username enumeration and IP spoofing-based brute-force protection bypass. By analyzing login behavior and abusing trusted HTTP headers, an attacker can determine valid usernames and circumvent rate-limiting or blocking mechanisms. Any organization running a publicly accessible Kanboard instance is affected, especially if relying on IP-based protections like Fail2Ban or CAPTCHA for login rate-limiting. Attackers with access to the login page can exploit this flaw to enumerate valid usernames and bypass IP-based blocking mechanisms, putting all user accounts at higher risk of brute-force or credential stuffing attacks. Recommendations: For versions prior to 1.2.46, update to version 1.2.46 to resolve the issue. As a temporary workaround, consider restricting access to the login page or implementing additional security measures to minimize the risk of exploitation. Avoid relying solely on IP-based protections for login rate-limiting.

Name of the Vulnerable Software and Affected Versions: Kanboard versions prior to 1.2.46 Description: Kanboard is project management software that focuses on the Kanban methodology. Prior to version 1.2.46, Kanboard allows password reset emails to be sent with URLs derived from the unvalidated Host header when the application url configuration is unset. This allows an attacker to craft a malicious password reset link that leaks the token to an attacker-controlled domain. If a victim clicks the poisoned link, their account can be taken over. This affects all users who initiate a password reset while application url is not set. Recommendations: For versions prior to 1.2.46, update to version 1.2.46 to resolve the issue. As a temporary workaround, consider setting the application url configuration to prevent the use of unvalidated Host headers. Restrict access to password reset functionality until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: eLabFTW versions prior to 5.1.15 Description: eLabFTW is an open source electronic lab notebook for research labs. Prior to version 5.1.15, an incorrect input validation could allow an authenticated user to read sensitive information, including a login token or other content stored in the database. This could lead to privilege escalation if cookies are enabled, which is the default setting. Recommendations: Upgrade to eLabFTW version 5.1.15.