Sth

**Name of the Vulnerable Software and Affected Versions** Wekan versions prior to 18.16 **Description** An issue exists in Wekan, an open-source kanban board system, where uploaded attachments can be served with a Content-Type controlled by an attacker (specifically, text/html). This allows for the execution of attacker-supplied HTML and JavaScript code within the application’s origin. Successful exploitation could lead to session or token theft and Cross-Site Request Forgery (CSRF) actions. **Recommendations** Update to version 18.16 or later.

**Name of the Vulnerable Software and Affected Versions** Wekan versions prior to 18.16 **Description** An issue exists in Wekan, an open-source kanban board system, where unauthenticated attackers can modify a board's "sort" value. The `Boards.allow` function does not verify the user ID, enabling unauthorized reordering of boards. **Recommendations** Update to version 18.16 or later.

**Name of the Vulnerable Software and Affected Versions** Wekan versions prior to 18.16 **Description** Authenticated users can modify their entire user document, including organization and team memberships, and login status, due to insufficient server-side authorization checks. This allows for privilege escalation and unauthorized access to other teams and organizations. **Recommendations** Update to version 18.16 or later.

**Name of the Vulnerable Software and Affected Versions** Wekan versions prior to 18.16 **Description** An issue exists in the Attachment upload API of Wekan, an open-source kanban board system. The API incorrectly processes the `Authorization` bearer token as a `userId`, leading to a non-terminating process when a non-empty token is provided. This can cause a denial-of-service condition and potentially allow for identity spoofing. The API endpoint affected is the attachment upload API. The vulnerable parameter is the `Authorization` bearer token. **Recommendations** Update to version 18.16 or later.

**Name of the Vulnerable Software and Affected Versions** Wekan versions prior to 18.16 **Description** An authorization flaw exists in the card update handling process. This flaw allows board members, and potentially other authenticated users, to manipulate user IDs within the `vote.positive` and `vote.negative` arrays. This manipulation enables vote forgery and unauthorized voting. The affected system is an open-source kanban board. **Recommendations** Update to version 18.16 or later.