CVE-2024-54001

MEDIUM

Kanboard - XSS

Title source: llm

Description

Kanboard is project management software that focuses on the Kanban methodology. HTML can be injected and stored into the application settings section. The fields application_language, application_date_format,application_timezone and application_time_format allow arbirary user input which is reflected. The vulnerability can become xss if the user input is javascript code that bypass CSP. This vulnerability is fixed in 1.2.41.

Exploits (1)

github WRITEUP

by MarioTesoro · poc

https://github.com/MarioTesoro/vulnerability-research/tree/main/CVE-2024-54001

View Code ZIP pw:eip

References (1)

[Exploit, Vendor Advisory] https://github.com/kanboard/kanboard/security/advisories/GHSA-4vvp-jf72-chrj

Scores

CVSS v3 5.5

EPSS 0.0015

EPSS Percentile 35.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N

Details

CWE

CWE-80 CWE-79

Status published

Products (1)

kanboard/kanboard 1.2.40

Published Dec 05, 2024

Tracked Since Feb 18, 2026