Clipboard based cross-site scripting (blocked with default CSP) in Kanboard
CVE-2023-32685

5.4MEDIUM

Key Information:

Vendor
kanboard
Status
kanboard
Vendor
CVE Published:
30 May 2023

Summary

Kanboard is project management software that focuses on the Kanban methodology. Due to improper handling of elements under the contentEditable element, maliciously crafted clipboard content can inject arbitrary HTML tags into the DOM. A low-privileged attacker with permission to attach a document on a vulnerable Kanboard instance can trick the victim into pasting malicious screenshot data and achieve cross-site scripting if CSP is improperly configured. This issue has been patched in version 1.2.29.

Affected Version(s)

kanboard < 1.2.29

References

https://github.com/kanboard/kanboard/security/advisories/...
x_refsource_CONFIRM
https://github.com/kanboard/kanboard/commit/26b6eebb78d43...
x_refsource_MISC
https://github.com/kanboard/kanboard/commit/c9c1872067000...
x_refsource_MISC

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2023-32685 : Clipboard based cross-site scripting (blocked with default CSP) in Kanboard | SecurityVulnerability.io