WeKan Insecure Direct Object Reference Vulnerability in Checklist Management

A vulnerability allowing insecure direct object reference (IDOR) has been identified in WeKan versions prior to 8.19. This issue arises in the checklist creation process and related checklist routes, where the application fails to verify that the provided cardId is associated with the specified boardId. This lack of validation enables cross-board ID tampering by manipulating identifiers.

Impact

Exploitation of this vulnerability allows for unauthorized deletion of checklists, as the application does not properly validate the relationship between checklists, cards, and boards.

Reproduction

To reproduce this vulnerability, create a checklist on a board and note the card and checklist IDs. Then, manipulate the board ID while keeping the checklist ID the same to delete the checklist from a different board, bypassing the intended validation.

Remediation

Users can upgrade to WeKan version 8.19 or later, where this vulnerability has been addressed.