Kolaente

**Name of the Vulnerable Software and Affected Versions** Vikunja versions 0.21.0 through 2.1.9 **Description** Vikunja Desktop, an Electron wrapper for the Vikunja task management platform, allows an attacker to execute arbitrary code on a victim's machine. This occurs because `nodeIntegration` is enabled in the main BrowserWindow without restrictions on same-window navigations. An attacker can craft a link within user-generated content, such as task descriptions or comments, that, when clicked by a victim, causes the BrowserWindow to navigate to an attacker-controlled origin. This allows JavaScript execution with full Node.js access, leading to arbitrary code execution. The issue stems from the combination of `nodeIntegration: true` and the absence of `will-navigate` or `will-redirect` handlers on the `webContents`. The vulnerability does not require a cross-site scripting (XSS) flaw; a standard, sanitized hyperlink is sufficient for exploitation. **Recommendations** Vikunja versions 0.21.0 through 2.1.9 are affected. Update to version 2.2.0 or later to resolve this issue.

**Name of the Vulnerable Software and Affected Versions** Vikunja versions prior to 2.2.1 **Description** Vikunja is a self-hosted task management platform. A flaw exists where the `DELETE /api/v1/projects/:project/shares/:share` endpoint does not confirm that the link share belongs to the project specified in the URL. An attacker with administrator privileges for any project can delete link shares from other projects by using their own project ID along with the target share ID. **Recommendations** Update to version 2.2.1 or later.

**Name of the Vulnerable Software and Affected Versions** Vikunja versions 0.20.2 through 2.1.9 **Description** Vikunja is a self-hosted task management platform. A flaw exists in the `DELETE /api/v1/projects/:project/background` endpoint where it incorrectly checks `CanRead` permission instead of `CanUpdate` permission. This allows any user with read-only access to a project to permanently delete the project's background image. The background file is removed from storage and cannot be recovered, constituting unauthorized data destruction. The issue resides in the `RemoveProjectBackground` handler within `pkg/modules/background/handler/background.go`, which reuses a helper function originally designed for read-only operations. The vulnerable API endpoint is `/api/v1/projects/:project/background`, and the vulnerable parameter is `project id`. The `checkProjectBackgroundRights` function is involved in the improper permission check. **Recommendations** Vikunja versions 0.20.2 through 2.1.9 are affected and should be updated to version 2.2.0 or later.

**Name of the Vulnerable Software and Affected Versions** Vikunja (affected versions not specified) **Description** An authenticated user can access task comments without proper authorization checks. Specifically, an attacker can read any task comment by ID, even if they do not have access to the associated task. This is possible by manipulating the task ID in the API URL. The `/api/v1/tasks/{taskID}/comments/{commentID}` API endpoint performs an authorization check against the task ID, but then loads the comment solely by its ID, bypassing verification that the comment actually belongs to that task. The `CanRead` function checks permissions based on the task ID from the URL, while the `getTaskCommentSimple` function retrieves the comment using only the comment ID, disabling struct-field filtering. This allows an attacker to bypass access controls and potentially leak sensitive information. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.