WeKan Access Control Vulnerability in REST Endpoint

An improper access control vulnerability has been identified in WeKan versions prior to 8.21. The issue resides in the REST endpoint for updating board titles, specifically within the file models/boards.js. The vulnerability allows unauthorized users to modify board titles by exploiting a weak authentication check that only verifies the presence of a user ID, rather than enforcing proper ownership and board-specific access controls. This flaw can be exploited remotely.

Impact

Exploitation of this vulnerability allows unauthorized users to update board titles, potentially leading to unauthorized modifications of board content and activities.

Reproduction

To reproduce this vulnerability, send a request to the REST endpoint '/api/boards/:boardId/title' with a valid user ID but without the necessary authorization to access the specific board. The request will be processed, and the board title can be updated without proper permissions.

Remediation

Upgrade to WeKan version 8.21, which addresses this vulnerability by implementing the correct access controls. The updated version is available on the WeKan GitHub Releases page.