| タイトル | Wekan <8.21 Improper access control on administrative migration methods (CWE |
|---|
| 説明 | Migration-related operations (including URL fixups) lacked sufficient authorization checks and accepted parameters that expanded scope. The fix removes the boardId parameter from some migration steps (making them global), and adds explicit authorization requiring board admin or instance admin for board-scoped migration execution, and admin checks for migration invocation. |
|---|
| ソース | ⚠️ https://github.com/wekan/wekan/commit/cc35dafef57ef6e44a514a523f9a8d891e74ad8f |
|---|
| ユーザー | MegaManSec (UID 94702) |
|---|
| 送信 | 2026年01月20日 12:52 (5 月 ago) |
|---|
| モデレーション | 2026年02月04日 15:46 (15 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 344268 [WeKan 迄 8.20 Migration Operation comprehensiveBoardMigration.js ComprehensiveBoardMigration boardId MigrationBleed 特権昇格] |
|---|
| ポイント | 19 |
|---|