Castilho101

**Name of the Vulnerable Software and Affected Versions** Kanboard versions prior to 1.2.30 **Description** Kanboard is project management software based on the Kanban methodology. A missing access control allows a user with limited privileges to create or move tasks to any project, even those they haven’t been invited to or are personal. The issue affects the `Duplicate to project` and `Move to project` features, which use the `checkDestinationProjectValues()` function. **Recommendations** Upgrade to version 1.2.30 or later.

**Name of the Vulnerable Software and Affected Versions** Kanboard versions prior to 1.2.30 **Description** A stored Cross-site scripting (XSS) issue allows an attacker to execute arbitrary Javascript, exposing users who view the task containing the malicious code to the XSS attack. The default CSP header configuration blocks this javascript attack. **Recommendations** For versions prior to 1.2.30, upgrade to version 1.2.30 or later to resolve the issue. As a temporary workaround for users unable to upgrade, ensure that a restrictive CSP header configuration is in place to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Kanboard versions prior to 1.2.30 **Description** A `missing access control` issue was found in Kanboard, allowing a user with the lowest privileges to leak all task and project titles, even if they are not invited or it's a personal project. This could lead to private or critical information being leaked if such information is in the title. **Recommendations** For versions prior to 1.2.30, upgrade to version 1.2.30 to address the issue. As a temporary workaround, consider restricting access to sensitive projects and tasks to minimize the risk of exploitation.