WeKan Missing Authorization Vulnerability in Rules Handler Component

A vulnerability exists in WeKan versions prior to 8.21, specifically within the Rules Handler component in the file server/publications/rules.js. This vulnerability allows for missing authorization, enabling unauthorized access to administrative automation data related to rules, triggers, and actions. The issue can be exploited remotely, and the absence of proper authorization checks means that sensitive data can be accessed without the necessary permissions.

Impact

Exploitation of this vulnerability leads to unauthorized access to administrative data and functionalities, specifically automation data related to rules, triggers, and actions.

Reproduction

To reproduce this vulnerability, access the Wekan application version prior to 8.21 and navigate to the Rules Handler component. The vulnerability can be exploited by accessing the publications for rules, triggers, or actions without the required instance-admin authorization. This will result in the exposure of administrative automation data.

Remediation

Users are advised to upgrade to WeKan version 8.21, where this vulnerability has been addressed. The upgrade is available on the WeKan GitHub Releases page.