Package: kanboard Version: 1.2.44+ds-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for kanboard. CVE-2025-52576[0]: | Kanboard is project management software that focuses on the Kanban | methodology. Prior to version 1.2.46, Kanboard is vulnerable to | username enumeration and IP spoofing-based brute-force protection | bypass. By analyzing login behavior and abusing trusted HTTP | headers, an attacker can determine valid usernames and circumvent | rate-limiting or blocking mechanisms. Any organization running a | publicly accessible Kanboard instance is affected, especially if | relying on IP-based protections like Fail2Ban or CAPTCHA for login | rate-limiting. Attackers with access to the login page can exploit | this flaw to enumerate valid usernames and bypass IP-based blocking | mechanisms, putting all user accounts at higher risk of brute-force | or credential stuffing attacks. Version 1.2.46 contains a patch for | the issue. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-52576 https://www.cve.org/CVERecord?id=CVE-2025-52576 [1] https://github.com/kanboard/kanboard/security/advisories/GHSA-qw57-7cx6-wvp7 Regards, Salvatore
