SQL Injection Affecting kanboard package, versions <1.2.26+ds-2+deb12u2


Severity

Recommended
0.0
high
0
10

Snyk's Security Team recommends NVD's CVSS assessment. Learn more

Threat Intelligence

EPSS
0.16% (54th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about SQL Injection vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-DEBIAN12-KANBOARD-5752465
  • published4 Jul 2023
  • disclosed5 Jul 2023

Introduced: 4 Jul 2023

CVE-2023-36813  (opens in a new tab)
CWE-89  (opens in a new tab)

How to fix?

Upgrade Debian:12 kanboard to version 1.2.26+ds-2+deb12u2 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream kanboard package and not the kanboard package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

Kanboard is project management software that focuses on the Kanban methodology. In versions prior to 1.2.31authenticated user is able to perform a SQL Injection, leading to a privilege escalation or loss of confidentiality. It appears that in some insert and update operations, the code improperly uses the PicoDB library to update/insert new information. Version 1.2.31 contains a fix for this issue.

CVSS Scores

version 3.1