WeKan Improper Authorization Vulnerability in REST API Allowing Inter-Board Manipulation

A vulnerability exists in WeKan versions prior to 8.21, specifically within the REST API function 'setBoardOrgs' in 'models/boards.js'. This issue allows improper authorization by manipulating parameters related to card and checklist IDs, potentially enabling an authenticated user to access and modify checklist items across different boards. The vulnerability can be exploited remotely, but the process is considered complex and difficult.

Impact

Exploitation of this vulnerability could lead to unauthorized actions on checklist items, allowing users to manipulate data across different boards without proper authorization.

Reproduction

To reproduce this vulnerability, an authenticated user can send a request to the 'setBoardOrgs' function via the REST API, including manipulated 'cardId', 'checklistId', and 'boardId' parameters. If the specified checklist item does not belong to the referenced card or board, the request will be processed without authorization checks, allowing access to items from other boards.

Remediation

Users are advised to upgrade to WeKan version 8.21, which addresses this vulnerability by implementing proper authorization checks. The updated version is available on the WeKan GitHub Releases page.