Frederic Guillot

36 exploits Active since Aug 2017
CVE-2017-15203 WRITEUP MEDIUM WRITEUP
Kanboard < 1.0.47 - Authenticated Authorization Bypass via Form Data Manipulation
In Kanboard before 1.0.47, by altering form data, an authenticated user can remove categories from a private project of another user.
CVSS 4.3
CVE-2017-15204 WRITEUP MEDIUM WRITEUP
Kanboard < 1.0.47 - Authenticated Authorization Bypass via Automatic Action Form Manipulation
In Kanboard before 1.0.47, by altering form data, an authenticated user can add automatic actions to a private project of another user.
CVSS 4.3
CVE-2017-15205 WRITEUP MEDIUM WRITEUP
Kanboard - Authenticated Unauthorized Attachment Download
In Kanboard before 1.0.47, by altering form data, an authenticated user can download attachments from a private project of another user.
CVSS 4.3
CVE-2017-15206 WRITEUP MEDIUM WRITEUP
Kanboard < 1.0.47 - Authenticated Authorization Bypass via Internal Link Injection
In Kanboard before 1.0.47, by altering form data, an authenticated user can add an internal link to a private project of another user.
CVSS 4.3
CVE-2017-15207 WRITEUP MEDIUM WRITEUP
Kanboard - Authenticated Authorization Bypass via Form Data Manipulation
In Kanboard before 1.0.47, by altering form data, an authenticated user can edit tasks of a private project of another user.
CVSS 4.3
CVE-2017-15208 WRITEUP MEDIUM WRITEUP
Kanboard < 1.0.47 - Authenticated Authorization Bypass via Form Data Manipulation
In Kanboard before 1.0.47, by altering form data, an authenticated user can remove automatic actions from a private project of another user.
CVSS 4.3
CVE-2017-15209 WRITEUP MEDIUM WRITEUP
Kanboard - Authenticated Authorization Bypass via Form Data Manipulation
In Kanboard before 1.0.47, by altering form data, an authenticated user can remove attachments from a private project of another user.
CVSS 4.3
CVE-2017-15210 WRITEUP MEDIUM WRITEUP
Kanboard < 1.0.47 - Authenticated Exposure of Sensitive Information via Thumbnail Access
In Kanboard before 1.0.47, by altering form data, an authenticated user can see thumbnails of pictures from a private project of another user.
CVSS 4.3
CVE-2017-15211 WRITEUP MEDIUM WRITEUP
Kanboard < 1.0.47 - Authenticated Authorization Bypass via Form Data Manipulation
In Kanboard before 1.0.47, by altering form data, an authenticated user can add an external link to a private project of another user.
CVSS 4.3
CVE-2017-15212 WRITEUP MEDIUM WRITEUP
Kanboard < 1.0.47 - Authenticated Exposure of Sensitive Information via Form Data Manipulation
In Kanboard before 1.0.47, by altering form data, an authenticated user can at least see the names of tags of a private project of another user.
CVSS 4.3
CVE-2025-52576 WRITEUP MEDIUM WRITEUP
Kanboard < 1.2.46 - Username Enumeration and Brute-Force Protection Bypass via HTTP Header Spoofing
Kanboard is project management software that focuses on the Kanban methodology. Prior to version 1.2.46, Kanboard is vulnerable to username enumeration and IP spoofing-based brute-force protection bypass. By analyzing login behavior and abusing trusted HTTP headers, an attacker can determine valid usernames and circumvent rate-limiting or blocking mechanisms. Any organization running a publicly accessible Kanboard instance is affected, especially if relying on IP-based protections like Fail2Ban or CAPTCHA for login rate-limiting. Attackers with access to the login page can exploit this flaw to enumerate valid usernames and bypass IP-based blocking mechanisms, putting all user accounts at higher risk of brute-force or credential stuffing attacks. Version 1.2.46 contains a patch for the issue.
CVSS 5.3