WeKan Missing Authorization Vulnerability in Position History Tracking Component

A vulnerability exists in WeKan versions prior to 8.21 within the Position-History Tracking component, specifically in the file server/methods/positionHistory.js. This vulnerability arises from inadequate authorization checks, allowing unauthorized access to certain functionalities. The issue can be exploited remotely, potentially leading to unauthorized information disclosure. The vulnerability has been assigned the identifier 'PositionHistoryBleed'.

Impact

Exploitation of this vulnerability could result in unauthorized access to position history tracking features, allowing users to retrieve original position data for swimlanes, lists, and cards without proper authorization.

Reproduction

The vulnerability can be reproduced by calling the 'positionHistory.trackSwimlane', 'positionHistory.trackList', or 'positionHistory.trackCard' methods without being authenticated or having the necessary board access. The absence of authorization checks in these methods allows the retrieval of position history data without proper authorization.

Remediation

Users are advised to upgrade to WeKan version 8.21, which addresses this vulnerability by implementing the necessary authorization checks. The updated version is available on the WeKan GitHub Releases page.