| Titel | Wekan <8.21 IDOR via REST API / improper object relationship validation |
|---|
| Beschreibung | Certain REST endpoints for checklist items accepted boardId/cardId/checklistId parameters but did not sufficiently verify that the referenced checklist item belonged to the specified card and board. This could allow an authenticated user with access to one board to act on checklist items from another board by guessing or obtaining object IDs. The fix adds relationship checks (item.cardId, item.checklistId, card.boardId) and returns 404 when mismatched. |
|---|
| Quelle | ⚠️ https://github.com/wekan/wekan/commit/cabfeed9a68e21c469bf206d8655941444b9912c |
|---|
| Benutzer | MegaManSec (UID 94702) |
|---|
| Einreichung | 20.01.2026 12:36 (vor 5 Monaten) |
|---|
| Moderieren | 04.02.2026 15:36 (15 days later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 344265 [WeKan bis 8.20 REST API models/boards.js setBoardOrgs item.cardId/item.checklistId/card.boardId erweiterte Rechte] |
|---|
| Punkte | 20 |
|---|