Kanboard
Moderate fix1 remedy
cpe:2.3:a:kanboard:kanboard:*:*:*:*:*:*:*
Moderate fix1 remedy
- >= 1.2.26, <= 1.2.44
Kanboard Stored Cross-Site Scripting Vulnerability in Project Creation
Vulnerability
Patched
A stored cross-site scripting vulnerability has been identified in Kanboard versions 1.2.26 through 1.2.44. The issue resides in the 'name' parameter of the Project Creation form. This vulnerability allows attackers to inject malicious scripts that are executed when other users view the affected project. While the default content security policy blocks JavaScript-based attacks, this vulnerability could be exploited in instances with a misconfigured CSP that allows CSS injection, as seen with the default 'unsafe-inline' directive.
Impact
Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the project.
Reproduction
To reproduce this vulnerability, create a project and then inject a script payload into the 'name' parameter of a second project. After saving, view the first project and click the 'Import Tasks' button, which triggers the execution of the injected script.
Remediation
Users can update to Kanboard version 1.2.45, which addresses this vulnerability.
Added: Jun 9, 2025, 7:46 PM
Updated: Jun 9, 2025, 7:46 PM
Vulnerability Rating
Custom Algorithm
spread
3.1impact
1.7exploitability
6.6remediation
7.7relevance
0.0threat
6.4urgency
2.9incentive
1.7Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.