WeKan Information Disclosure Vulnerability in Activity Publication Handler

A vulnerability allowing information disclosure has been identified in WeKan versions prior to 8.21. The issue arises from insufficient authorization filtering in the Activity Publication Handler, specifically within the file server/publications/activities.js. This weakness allows the application to return activity data from linked boards that are not visible to the requesting user. The vulnerability can be exploited remotely, without any authentication.

Impact

Exploitation of this vulnerability leads to unauthorized information disclosure, allowing users to access activity data from boards they do not have permission to view.

Reproduction

To reproduce this vulnerability, access the WeKan application and navigate to the Activity Publication feature. The vulnerability can be triggered by requesting activity data from linked boards. The application will return data from boards that are not visible to the user, bypassing authorization checks.

Remediation

Users are advised to upgrade to WeKan version 8.21, which addresses this vulnerability by implementing proper visibility checks for linked board activities.