| Titel | Wekan <8.21 Missing authorization on admin function (CWE-284) |
|---|
| Beschreibung | The LDAP user sync Meteor method lacked an enforced admin-only authorization gate (prior code commented out authorization), allowing non-admins to force syncing of LDAP users to the local database. The fix requires the invoking user to be an instance admin (user.isAdmin) before LDAP sync can run. |
|---|
| Quelle | ⚠️ https://github.com/wekan/wekan/commit/146905a459106b5d00b4f09453a6554255e6965a |
|---|
| Benutzer | MegaManSec (UID 94702) |
|---|
| Einreichung | 20.01.2026 12:54 (vor 5 Monaten) |
|---|
| Moderieren | 04.02.2026 15:46 (15 days later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 344270 [WeKan bis 8.20 LDAP User Sync syncUser.js SyncLDAPBleed erweiterte Rechte] |
|---|
| Punkte | 17 |
|---|