Package: kanboard Version: 1.2.44+ds-1 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for kanboard. CVE-2025-55010[0]: | Kanboard is project management software that focuses on the Kanban | methodology. Prior to version 1.2.47, an unsafe deserialization | vulnerability in the ProjectEventActvityFormatter allows admin users | the ability to instantiate arbitrary php objects by modifying the | event["data"] field in the project_activities table. A malicious | actor can update this field to use a php gadget to write a web shell | into the /plugins folder, which then gives remote code execution on | the host system. This issue has been patched in version 1.2.47. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-55010 https://www.cve.org/CVERecord?id=CVE-2025-55010 [1] https://github.com/kanboard/kanboard/security/advisories/GHSA-359x-c69j-q64r Regards, Salvatore
