Wekan Authorization Flaw in Card Update Handling Allows Vote Forgery

An authorization flaw has been identified in Wekan, an open-source kanban board system, in versions prior to 18.15. This vulnerability allows board members and potentially other authenticated users to manipulate the voting system by adding or removing user IDs in the vote.positive and vote.negative arrays. Such actions could lead to unauthorized voting and vote forgery. The issue has been addressed in Wekan version 18.16.

Impact

Exploitation of this vulnerability allows for vote forgery, where a user can falsely represent their voting position or that of another user, potentially skewing decision-making processes that rely on accurate vote counts.

Reproduction

To reproduce this vulnerability, a user must be a board member or an authenticated user. Once these conditions are met, the user can update card voting fields directly from the client, bypassing the intended authorization checks. This can be done by calling the 'cards.vote' Meteor method with the desired user ID and vote state.

Remediation

Users can update to Wekan version 18.16 or later, where this vulnerability has been fixed.