| Título | Wekan <8.21 Improper access control on administrative migration methods (CWE |
|---|
| Descripción | Migration-related operations (including URL fixups) lacked sufficient authorization checks and accepted parameters that expanded scope. The fix removes the boardId parameter from some migration steps (making them global), and adds explicit authorization requiring board admin or instance admin for board-scoped migration execution, and admin checks for migration invocation. |
|---|
| Fuente | ⚠️ https://github.com/wekan/wekan/commit/cc35dafef57ef6e44a514a523f9a8d891e74ad8f |
|---|
| Usuario | MegaManSec (UID 94702) |
|---|
| Sumisión | 2026-01-20 12:52 (hace 5 meses) |
|---|
| Moderación | 2026-02-04 15:46 (15 days later) |
|---|
| Estado | Aceptado |
|---|
| Entrada de VulDB | 344268 [WeKan hasta 8.20 Migration Operation comprehensiveBoardMigration.js ComprehensiveBoardMigration boardId MigrationBleed escalada de privilegios] |
|---|
| Puntos | 19 |
|---|