| عنوان | Wekan <8.21 IDOR via REST API / improper object relationship validation |
|---|
| الوصف | Certain REST endpoints for checklist items accepted boardId/cardId/checklistId parameters but did not sufficiently verify that the referenced checklist item belonged to the specified card and board. This could allow an authenticated user with access to one board to act on checklist items from another board by guessing or obtaining object IDs. The fix adds relationship checks (item.cardId, item.checklistId, card.boardId) and returns 404 when mismatched. |
|---|
| المصدر | ⚠️ https://github.com/wekan/wekan/commit/251d49eea94834cf351bb395808f4a56fb4dbb44 |
|---|
| المستخدم | MegaManSec (UID 94702) |
|---|
| ارسال | 20/01/2026 12:37 PM (5 أشهر منذ) |
|---|
| الاعتدال | 04/02/2026 03:46 PM (15 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 344266 [WeKan حتى 8.20 REST API models/checklistItems.js item.cardId/item.checklistId/card.boardId Checklist REST Bleed تجاوز الصلاحيات] |
|---|
| النقاط | 20 |
|---|