Date: Fri, 7 Jun 2024 10:34:25 GMT From: Fernando =?utf-8?Q?Apestegu=C3=ADa?= <fernape@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: git: ae8b261a09be - main - security/vuxml: record kanboard vulnerability Message-ID: <202406071034.457AYPKI047063@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by fernape: URL: https://cgit.FreeBSD.org/ports/commit/?id=ae8b261a09bed7cecd73f792ac9d684f8e677230 commit ae8b261a09bed7cecd73f792ac9d684f8e677230 Author: Fernando ApesteguĂa <fernape@FreeBSD.org> AuthorDate: 2024-06-07 07:25:22 +0000 Commit: Fernando ApesteguĂa <fernape@FreeBSD.org> CommitDate: 2024-06-07 10:34:07 +0000 security/vuxml: record kanboard vulnerability CVE-2024-36399 NVD assessment not yet provided. --- security/vuxml/vuln/2024.xml | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/security/vuxml/vuln/2024.xml b/security/vuxml/vuln/2024.xml index f0c1c2cb94e2..37aa9fcb07a3 100644 --- a/security/vuxml/vuln/2024.xml +++ b/security/vuxml/vuln/2024.xml @@ -1,3 +1,37 @@ + <vuln vid="91929399-249e-11ef-9296-b42e991fc52e"> + <topic>kanboard -- Project Takeover via IDOR in ProjectPermissionController</topic> + <affects> + <package> + <name>kanboard</name> + <range><lt>1.2.37</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>security-advisories@github.com reports:</p> + <blockquote cite="https://github.com/kanboard/kanboard/commit/b6703688aac8187f5ea4d4d704fc7afeeffeafa7">; + <p>Kanboard is project management software that focuses on the Kanban + methodology. The vuln is in app/Controller/ProjectPermissionController.php + function addUser(). The users permission to add users to a project + only get checked on the URL parameter project_id. If the user is + authorized to add users to this project the request gets processed. + The users permission for the POST BODY parameter project_id does + not get checked again while processing. An attacker with the + 'Project Manager' on a single project may take over any + other project. The vulnerability is fixed in 1.2.37.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2024-36399</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2024-36399</url>; + </references> + <dates> + <discovery>2024-06-06</discovery> + <entry>2024-06-07</entry> + </dates> + </vuln> + <vuln vid="14908bda-232b-11ef-b621-00155d645102"> <topic>cyrus-imapd -- unbounded memory allocation</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202406071034.457AYPKI047063>