← volver
CVE-2026-25567

WeKan < 8.19 Card Comment Author Spoofing via User-controlled authorId

CVSS 5.3 MEDIUMEPSS 0.2%CWE-639
WeKan versions prior to 8.19 contain an insecure direct object reference (IDOR) in the card comment creation API. The endpoint accepts an authorId from the request body, allowing an authenticated user to spoof the recorded comment author by supplying another user's identifier.
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
Productos afectados
WeKan · WeKan

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →
Referencias
https://github.com/wekan/wekan/commit/67cb47173c1a152d9eaf5469740992b2dacdf62dhttps://wekan.fi/https://www.vulncheck.com/advisories/wekan-card-comment-author-spoofing-via-user-controlled-authorid