Package: kanboard Version: 1.2.44+ds-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for kanboard. CVE-2025-46825[0]: | Kanboard is project management software that focuses on the Kanban | methodology. Versions 1.2.26 through 1.2.44 have a Stored Cross-Site | Scripting (XSS) Vulnerability in the `name` parameter of the `http:/ | /localhost/?controller=ProjectCreationController&action=create` | form. This vulnerability allows attackers to inject malicious | scripts into web pages viewed by other users. Note that the default | content security policy (CSP) blocks the JavaScript attack, though | it can be exploited if an instance is badly configured and the | software is vulnerable to CSS injection because of the unsafe-inline | on the default CSP. Version 1.2.45 contains a fix for the issue. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-46825 https://www.cve.org/CVERecord?id=CVE-2025-46825 [1] https://github.com/kanboard/kanboard/security/advisories/GHSA-5wj3-c9v4-pj9v [2] https://github.com/kanboard/kanboard/commit/6ebf22eeaae9f8b4abab72e3c18e45a2c4a2a808 Regards, Salvatore
