WeKan Improper Access Control Vulnerability in Attachment Migration Component

A vulnerability exists in WeKan versions prior to 8.21 within the Attachment Migration component. The issue arises from improper access controls in the server/attachmentMigration.js file, allowing remote manipulation that could bypass authorization requirements. This vulnerability could be exploited by users lacking the necessary privileges to access or modify certain board attachments.

Impact

Exploitation of this vulnerability could lead to unauthorized access or modification of board attachments, potentially allowing users to manipulate migration processes or attachment statuses without proper authorization.

Reproduction

The vulnerability can be reproduced by calling the attachment migration methods without the required board admin or instance admin privileges. This can be done by a user who has access to the WeKan application but does not hold the necessary administrative rights for the targeted board. The migration methods can be accessed remotely, initiating the attack from an unauthorized user account.

Remediation

Users are advised to upgrade to WeKan version 8.21, which addresses this vulnerability by implementing proper access controls. The updated version can be downloaded from the WeKan GitHub Releases page.