Wekan Privilege Escalation Vulnerability Allowing Unauthorized Access to Teams and Organizations

A vulnerability in Wekan, an open-source kanban board system, allows authenticated users to manipulate their entire user document, including sensitive fields such as organizations, teams, and login status. This issue arises from inadequate server-side authorization, enabling privilege escalation and unauthorized access to other teams or organizations. The vulnerability affects Wekan versions prior to 18.15 and was addressed in version 18.16.

Impact

Exploitation of this vulnerability could lead to unauthorized access to boards of any organizations or teams, allowing users to view or interact with content they should not have access to.

Reproduction

To reproduce this vulnerability, an authenticated user can send a request to update their user document. The request can include modifications to sensitive fields such as 'orgs', 'teams', and 'loginDisabled'. Since the update is processed without proper authorization checks, this can result in unauthorized changes and access.

Remediation

Users are advised to update to Wekan version 18.16 or later, where this vulnerability has been fixed.