Iamsampathk

**Name of the Vulnerable Software and Affected Versions** Vikunja versions prior to 2.0.0 **Description** The application allows users to set weak passwords without enforcing minimum strength requirements. Active sessions remain valid after a user changes their password, potentially allowing an attacker who compromises an account to maintain persistent access even after the victim resets their password. The combination of weak password controls and improper session invalidation increases both exploitability and impact. An attacker could compromise an account via brute-force or credential stuffing. The application does not enforce minimum length or strength validation for passwords. No forced logout occurs across active sessions after a password change. **Recommendations** Versions prior to 2.0.0 should be updated to version 2.0.0 or later. Enforce strong password policies, requiring passwords to be 8–16+ characters with a mix of uppercase, lowercase, numbers, and special characters. Block common passwords by using a blacklist of commonly used and breached passwords. Use secure hashing algorithms like bcrypt or Argon2 to store passwords. Enable account lockout to limit failed login attempts. Invalidate all active sessions upon password change. Revoke refresh tokens, if applicable. Implement token/session versioning. Regenerate session IDs after credential updates. Log and notify users of password change events.

**Name of the Vulnerable Software and Affected Versions** Vikunja versions prior to 2.0.0 **Description** Vikunja, a self-hosted task management platform, does not sanitize SVG files uploaded as task attachments. This allows for the inclusion of JavaScript code within the SVG file, which executes when the file is accessed through a direct URL. The JavaScript can access the user's authentication token, stored in localStorage, potentially leading to account takeover. The application renders SVG attachments inline instead of forcing a download, enabling the execution of embedded JavaScript. The vulnerability is classified as Stored Cross-Site Scripting (XSS). A malicious SVG attachment can affect any authenticated user who accesses it, potentially allowing an attacker to execute arbitrary JavaScript, expose authentication tokens, perform actions on behalf of the victim, and potentially escalate privileges. **Recommendations** Versions prior to 2.0.0 should be updated to version 2.0.0 or later. Sanitize all uploaded SVG files to remove potentially executable content such as `<script>` elements and event handlers. Serve attachments with Content-Disposition: attachment to prevent inline rendering. Implement a strict Content Security Policy (CSP) to block script execution within uploaded files. Store authentication tokens in HttpOnly, Secure cookies instead of localStorage.