Ghsl

**Name of the Vulnerable Software and Affected Versions** Wekan versions 8.32 through 8.33 **Description** Wekan, an open-source kanban tool built with Meteor, has an issue where the server directly fetches attachment URLs during board import without proper validation or filtering. This affects both Wekan and Trello import flows. The `parseActivities()` and `parseActions()` methods extract user-controlled attachment URLs and pass them to `Attachments.load()` for download without sanitization. This allows authenticated users to make arbitrary HTTP requests from the server, potentially accessing internal network services like cloud instance metadata endpoints (exposing IAM credentials), internal databases, and admin panels. **Recommendations** Wekan versions 8.32 and 8.33 should be updated to version 8.34.

**Name of the Vulnerable Software and Affected Versions** Wekan versions 8.31.0 through 8.33 **Description** Wekan is an open source kanban tool built with Meteor. The `globalwebhooks` publication exposes all global webhook integrations—including sensitive `url` and `token` fields—without performing any authentication check on the server side. Although the subscription is normally invoked from the admin settings page, the server-side publication has no access control, meaning any DDP client, including unauthenticated ones, can subscribe and receive the data. This allows an unauthenticated attacker to retrieve global webhook URLs and authentication tokens, potentially enabling unauthorized use of those webhooks and access to connected external services. **Recommendations** Wekan versions 8.31.0 through 8.33 should be updated to version 8.34.