Kanboard Cross-Site Request Forgery Vulnerability in Project Role Management

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in Kanboard project management software versions prior to 1.2.50. The issue resides in the ProjectPermissionController, where the application does not properly enforce the application/json Content-Type for the changeUserRole action. This oversight allows an attacker to create a malicious form using the text/plain attribute, enabling unauthorized changes to project user roles. The vulnerability can be exploited if an authenticated admin visits a malicious site.

Impact

Exploitation of this vulnerability allows low-privileged users to escalate their privileges by unauthorizedly changing project user roles within an admin's session.

Reproduction

To reproduce this vulnerability, log into the Kanboard application and navigate to the project permissions page. Once there, add a user with project-viewer permission. Then, open a new tab in the same browser and load a crafted form that exploits the CSRF vulnerability by using the text/plain Content-Type to submit a request that changes the user's role to project-manager.

Remediation

Users can update to Kanboard version 1.2.50 or later, where this vulnerability has been fixed.