Description
Kanboard through 1.2.52, fixed in commit 928c68a, UserViewController::removeSession fails to validate the session id parameter before passing it to RememberMeSessionModel::remove, allowing authenticated users to delete other users' Remember Me sessions. Attackers can enumerate sequential session IDs and mass-invalidate persistent login sessions of any user, including administrators, forcing re-authentication and causing denial of service.
CVSS breakdown
CVSS 4.0
Attack Vector
Network
Attack Complexity
Low
Attack Requirements
None
Privileges Required
Low
User Interaction
None
Confidentiality (Vulnerable System)
None
Integrity (Vulnerable System)
Low
Availability (Vulnerable System)
Low
Confidentiality (Subsequent System)
None
Integrity (Subsequent System)
None
Availability (Subsequent System)
None
CVSS 3.1
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low
Affected products
- kanboard / kanboard0 – 1.2.52
- kanboard / kanboard928c68aa2b7c00092dd71084d329b912e229f3d1 – 928c68aa2b7c00092dd71084d329b912e229f3d1
References
- MISChttps://github.com/kanboard/kanboard/issues/5829
- PATCHhttps://github.com/kanboard/kanboard/pull/5831
- PATCHhttps://github.com/kanboard/kanboard/commit/928c68aa2b7c00092dd71084d329b912e229f3d1
- VENDOR_ADVISORYhttps://www.vulncheck.com/advisories/kanboard-cross-user-deletion-of-persistent-login-sessions-via-unvalidated-session-id