Orilcious

**Name of the Vulnerable Software and Affected Versions** Kanboard versions prior to 1.2.37 **Description** The issue is related to the Kanban methodology-based project management software, Kanboard. It involves a vulnerability in the `addUser()` function within the `ProjectPermissionController.php` file. Specifically, the user's permission to add users to a project is only checked based on the URL parameter `project id`. If the user is authorized for this project, the request is processed without re-checking the permission for the `project id` parameter in the POST body. This allows an attacker with 'Project Manager' privileges on a single project to potentially take over any other project. **Recommendations** For versions prior to 1.2.37, upgrade to version 1.2.37 to fix the vulnerability. As a temporary workaround, consider restricting access to the `addUser()` function in the `ProjectPermissionController.php` file until the update is applied. Additionally, ensure that project managers' privileges are carefully managed to minimize the risk of exploitation.