Vulnerability Details : CVE-2017-15207
In Kanboard before 1.0.47, by altering form data, an authenticated user can edit tasks of a private project of another user.
Products affected by CVE-2017-15207
- cpe:2.3:a:kanboard:kanboard:1.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:kanboard:kanboard:1.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:kanboard:kanboard:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:kanboard:kanboard:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:kanboard:kanboard:1.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:kanboard:kanboard:1.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:kanboard:kanboard:1.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:kanboard:kanboard:1.0.9:*:*:*:*:*:*:*
- cpe:2.3:a:kanboard:kanboard:1.0.14:*:*:*:*:*:*:*
- cpe:2.3:a:kanboard:kanboard:1.0.16:*:*:*:*:*:*:*
- cpe:2.3:a:kanboard:kanboard:1.0.23:*:*:*:*:*:*:*
- cpe:2.3:a:kanboard:kanboard:1.0.25:*:*:*:*:*:*:*
- cpe:2.3:a:kanboard:kanboard:1.0.31:beta1:*:*:*:*:*:*
- cpe:2.3:a:kanboard:kanboard:1.0.32:beta1:*:*:*:*:*:*
- cpe:2.3:a:kanboard:kanboard:1.0.35:*:*:*:*:*:*:*
- cpe:2.3:a:kanboard:kanboard:1.0.37:*:*:*:*:*:*:*
- cpe:2.3:a:kanboard:kanboard:1.0.39:*:*:*:*:*:*:*
- cpe:2.3:a:kanboard:kanboard:1.0.44:*:*:*:*:*:*:*
- cpe:2.3:a:kanboard:kanboard:1.0.46:*:*:*:*:*:*:*
- cpe:2.3:a:kanboard:kanboard:1.0.10:*:*:*:*:*:*:*
- cpe:2.3:a:kanboard:kanboard:1.0.11:*:*:*:*:*:*:*
- cpe:2.3:a:kanboard:kanboard:1.0.12:*:*:*:*:*:*:*
- cpe:2.3:a:kanboard:kanboard:1.0.13:*:*:*:*:*:*:*
- cpe:2.3:a:kanboard:kanboard:1.0.27:*:*:*:*:*:*:*
- cpe:2.3:a:kanboard:kanboard:1.0.28:*:*:*:*:*:*:*
- cpe:2.3:a:kanboard:kanboard:1.0.29:*:*:*:*:*:*:*
- cpe:2.3:a:kanboard:kanboard:1.0.30:*:*:*:*:*:*:*
- cpe:2.3:a:kanboard:kanboard:1.0.40:*:*:*:*:*:*:*
- cpe:2.3:a:kanboard:kanboard:1.0.41:*:*:*:*:*:*:*
- cpe:2.3:a:kanboard:kanboard:1.0.42:*:*:*:*:*:*:*
- cpe:2.3:a:kanboard:kanboard:1.0.43:*:*:*:*:*:*:*
- cpe:2.3:a:kanboard:kanboard:1.0.18:*:*:*:*:*:*:*
- cpe:2.3:a:kanboard:kanboard:1.0.19:*:*:*:*:*:*:*
- cpe:2.3:a:kanboard:kanboard:1.0.20:*:*:*:*:*:*:*
- cpe:2.3:a:kanboard:kanboard:1.0.21:*:*:*:*:*:*:*
- cpe:2.3:a:kanboard:kanboard:1.0.22:*:*:*:*:*:*:*
- cpe:2.3:a:kanboard:kanboard:1.0.32:beta0:*:*:*:*:*:*
- cpe:2.3:a:kanboard:kanboard:1.0.32:*:*:*:*:*:*:*
- cpe:2.3:a:kanboard:kanboard:1.0.33:*:*:*:*:*:*:*
- cpe:2.3:a:kanboard:kanboard:1.0.34:*:*:*:*:*:*:*
- cpe:2.3:a:kanboard:kanboard:1.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:kanboard:kanboard:1.0.8:*:*:*:*:*:*:*
- cpe:2.3:a:kanboard:kanboard:1.0.15:*:*:*:*:*:*:*
- cpe:2.3:a:kanboard:kanboard:1.0.17:*:*:*:*:*:*:*
- cpe:2.3:a:kanboard:kanboard:1.0.24:*:*:*:*:*:*:*
- cpe:2.3:a:kanboard:kanboard:1.0.26:*:*:*:*:*:*:*
- cpe:2.3:a:kanboard:kanboard:1.0.31:beta0:*:*:*:*:*:*
- cpe:2.3:a:kanboard:kanboard:1.0.31:*:*:*:*:*:*:*
- cpe:2.3:a:kanboard:kanboard:1.0.36:*:*:*:*:*:*:*
- cpe:2.3:a:kanboard:kanboard:1.0.38:*:*:*:*:*:*:*
- cpe:2.3:a:kanboard:kanboard:1.0.45:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2017-15207
0.15%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 51 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2017-15207
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.0
|
MEDIUM | AV:N/AC:L/Au:S/C:N/I:P/A:N |
8.0
|
2.9
|
NIST | |
4.3
|
MEDIUM | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
2.8
|
1.4
|
NIST |
CWE ids for CVE-2017-15207
-
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.Assigned by: nvd@nist.gov (Primary)
References for CVE-2017-15207
-
https://kanboard.net/news/version-1.0.47
Page not found · GitHub PagesRelease Notes;Vendor Advisory
-
http://openwall.com/lists/oss-security/2017/10/04/9
oss-security - Several Privilege Escalation issues in Kanboard <= 1.0.46Mailing List;Third Party Advisory;VDB Entry
-
https://github.com/kanboard/kanboard/commit/074f6c104f3e49401ef0065540338fc2d4be79f0
Avoid people to alter other projects by changing form data · kanboard/kanboard@074f6c1 · GitHubPatch;Third Party Advisory
-
https://github.com/kanboard/kanboard/commit/3e0f14ae2b0b5a44bd038a472f17eac75f538524
Do not expose IDs in forms · kanboard/kanboard@3e0f14a · GitHubPatch;Third Party Advisory
Jump to