WeKan Improper Authorization Vulnerability in REST API Allowing Checklist Item Manipulation

A vulnerability exists in WeKan versions prior to 8.21, specifically within the REST API component in the file models/checklistItems.js. The issue arises from inadequate authorization checks on certain parameters, allowing authenticated users to manipulate checklist items across different boards. By exploiting this flaw, it is possible to access or modify checklist items that do not belong to the user's current board.

Impact

Exploitation of this vulnerability could lead to unauthorized access or modification of checklist items, allowing users to interfere with tasks and responsibilities on boards they do not manage.

Reproduction

To reproduce this vulnerability, an authenticated user can send a request to the checklist items endpoint of the REST API, including boardId, cardId, checklistId, and itemId parameters. The server will process the request without properly validating whether the specified checklist item belongs to the referenced card and board, allowing the user to access or manipulate the item incorrectly.

Remediation

Users are advised to upgrade to WeKan version 8.21, which addresses this vulnerability by implementing the necessary authorization checks. The updated version is available on the WeKan GitHub Releases page.