CVE-2023-32685

Name of the Vulnerable Software and Affected Versions Kanboard versions prior to 1.2.29

Description The issue arises from improper handling of elements under the contentEditable element, allowing maliciously crafted clipboard content to inject arbitrary HTML tags into the DOM. A low-privileged attacker can exploit this by tricking the victim into pasting malicious screenshot data, potentially achieving cross-site scripting if Content Security Policy (CSP) is improperly configured.

Recommendations For versions prior to 1.2.29, update to version 1.2.29 to resolve the issue. As a temporary workaround, consider restricting the ability to attach documents and pasting screenshot data to minimize the risk of exploitation. Additionally, ensure that Content Security Policy (CSP) is properly configured to reduce the risk of cross-site scripting.