Kanboard Privilege Escalation Vulnerability in User Invite Registration Endpoint

A privilege escalation vulnerability has been identified in Kanboard project management software, prior to version 1.2.51. The issue arises in the user invite registration endpoint, where POST parameters are accepted without proper validation of the 'role' field. This flaw allows an attacker who receives an invite link to inject 'role=app-admin' during registration, thereby creating an administrator account. The vulnerability exists because the 'UserInviteController::register()' method passes all POST data to 'UserModel::create()' without filtering, enabling unauthorized role assignment.

Impact

Exploitation of this vulnerability allows any invited user to gain administrative privileges, including the ability to install plugins. Given that certain plugins can introduce remote code execution capabilities, this vulnerability could potentially lead to unauthorized code execution on the server.

Reproduction

To reproduce this vulnerability, an admin user must send an invite to the attacker's email address. Once the invite is received, the attacker can register by injecting 'role=app-admin' into the registration form. This can be done using a POST request that includes the invite token, along with the desired username, password, name, and email. After the registration is processed, the attacker will have an admin account with full access rights.

Remediation

Users are advised to update Kanboard to version 1.2.51 or later, where this vulnerability has been fixed.