WeKan Improper Access Control Vulnerability in Administrative Repair Handler

A vulnerability exists in WeKan versions prior to 8.21, specifically within the Administrative Repair Handler component. The issue arises in the file 'server/methods/fixDuplicateLists.js', where the method intended to fix duplicate lists and swimlanes fails to properly enforce access controls. This flaw allows non-admin users to execute administrative workflows, potentially leading to unauthorized modifications. The vulnerability can be exploited remotely.

Impact

Exploitation of this vulnerability allows non-admin users to access and execute administrative functions, specifically those related to the repair of duplicate lists and swimlanes. This could disrupt the application's workflow management by improperly altering or managing organizational data.

Reproduction

To reproduce this vulnerability, a non-admin user can invoke the 'fixDuplicateLists' method through the WeKan server's Meteor methods. This can be done by sending a request that includes the 'boardId' parameter, which is required to identify the board where the duplicate lists or swimlanes need to be fixed. The absence of proper authorization checks allows this method to be executed without admin rights, thereby exploiting the access control flaw.

Remediation

Users are advised to upgrade to WeKan version 8.21, which addresses this vulnerability by implementing the necessary access controls. The updated version can be downloaded from the WeKan GitHub Releases page.