CVE-2024-54001

MEDIUM

Kanboard - Stored Cross-Site Scripting in Application Settings

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-54001. PoCs published by MarioTesoro.

AI-analyzed exploit summary The repository contains detailed technical writeups for multiple CVEs, including CVE-2024-54001, which describes a stored XSS vulnerability in Kanboard due to improper input sanitization in admin settings. The writeup includes specific HTTP request examples and mitigation steps.

Description

Kanboard is project management software that focuses on the Kanban methodology. HTML can be injected and stored into the application settings section. The fields application_language, application_date_format,application_timezone and application_time_format allow arbirary user input which is reflected. The vulnerability can become xss if the user input is javascript code that bypass CSP. This vulnerability is fixed in 1.2.41.

Exploits (1)

github WRITEUP
by MarioTesoro · poc
https://github.com/MarioTesoro/vulnerability-research/tree/main/CVE-2024-54001

The repository contains detailed technical writeups for multiple CVEs, including CVE-2024-54001, which describes a stored XSS vulnerability in Kanboard due to improper input sanitization in admin settings. The writeup includes specific HTTP request examples and mitigation steps.

Classification
Writeup 95%
Attack Type
Xss
Complexity
Moderate
Reliability
Reliable
Target: Kanboard <= 1.2.40
Auth required
Prerequisites: Admin access to Kanboard settings
devstral-2 · analyzed Feb 27, 2026 Full analysis →

References (1)

Core 1
Core References

Scores

CVSS v3 5.5
EPSS 0.0037
EPSS Percentile 29.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-80 CWE-79
Status published
Products (1)
kanboard/kanboard 1.2.40
Published Dec 05, 2024
Tracked Since Feb 18, 2026