S2Ongmo

**Name of the Vulnerable Software and Affected Versions** Payload versions prior to 3.74.0 **Description** Payload is a headless content management system. A cross-collection Insecure Direct Object Reference (IDOR) exists in the `payload-preferences` internal collection. In multi-auth collection environments using Postgres or SQLite with default serial/auto-increment IDs, authenticated users from one auth collection can read and delete preferences belonging to users in different auth collections when their numeric IDs collide. The vulnerability affects users if multiple auth collections are configured, a Postgres or SQLite database adapter with serial/auto-increment IDs is used, and users in different auth collections have the same numeric ID. The issue does not affect users utilizing the `@payloadcms/db-mongodb` adapter, single auth collection environments, or Postgres/SQLite with `idType: 'uuid'`. **Recommendations** Upgrade to version 3.74.0 or later.

**Name of the Vulnerable Software and Affected Versions** Kanboard versions prior to 1.2.50 **Description** Kanboard is project management software focused on Kanban methodology. The `getSwimlane()` API method lacks project-level authorization, which allows authenticated users to access swimlane data from projects they are not authorized to access. **Recommendations** Update to version 1.2.50.

**Name of the Vulnerable Software and Affected Versions** Kanboard versions prior to 1.2.50 **Description** Kanboard is project management software based on the Kanban method. An issue exists in the TaskCreationController::duplicateProjects() endpoint where user permissions for target projects are not validated. This allows authenticated users to duplicate tasks into projects they should not have access to. **Recommendations** Update to version 1.2.50 or later.