Contents

Note: If some security researcher gets CVE number for any of these, please send that number to support at wekan.team . Thanks!

CVE	Vulnerability name	Date	Responsible Security Disclosure by	Vulnerabilities
TODO	SocialBleed	2023-05-11 19.14 EET	Rajesh Thapa Did send detailed report!	Security: Links to Social Media at wekan.github.io could lead to theft of sensitive information Affected Wekan website before 2024-05-12 05.34 EET Fixed at Wekan website 2023-05-12 05.34 EET More details
TODO	AdminBleed	2023-04-24 16.40 EET	Christian Pöschl of usd AG Responsible Disclosure Team Did send detailed report!	Security: Non-Admin could change to Admin Affected Wekan v6.85 and earlier Fixed at Wekan v6.86 2023-04-26 More details
TODO	InvisibleBleed	2023-04-24 03.35 EET	Someone at chat Sent report and disappeared.	Security: HTML comments not visible Affected Wekan v6.85 and earlier Fixed at Wekan v6.86 2023-04-26 More details
CVE-2023-31779	ReactionBleed	2023-02-28 12.36 EET	Alexander Starikov at Jet Infosystems Did send detailed report and fix!	Security: XSS in feature "Reaction to comment" Affected Wekan v5.49 - v6.84 Fixed at Wekan v6.85 2023-04-18 More details
TODO	Filebleed	2023-02-16 17.35 EET	SEC Consult, an Atos company Did send detailed report!	Security: XSS in filename Affected Wekan v6.74 and earlier Fixed at Wekan v6.75 2023-02-21 More details
TODO	Emailbleed	2021-01-26 12.42 EET	Georg Krause Did send detailed report!	Security: SMTP password visible to Admin at Admin Panel by using browser inspect to see behind asterisks Affected Wekan v1.59-v4.98 Fixed at Wekan v4.99 2021-02-25 More details
CVE-2021-3309	LDAPbleed	2021-01-26 0:42 EET	robert-scheck Did send report and sent fix! Although, report was at public GitHub issue, not via Responsible Security Disclosure	Security: SSL/TLS certificate validation for LDAP disabled by default Affected Wekan v1.53.1-v4.87 Fixed at Wekan v4.88 2021-01-28 More details
TODO	DUEbleed	2021-01-11 EET	xet7 - maintainer of Wekan Did not notice security issue originally when merging new feature from pull request. Did fix issue when finally noticed it at production at Wekan demo server.	Due Cards and Broken Cards: As Admin user, at All Users view of Due Cards and Broken Cards, fixed to not show cards from other users private boards. This affected only logged in Admin user, not logged in other users. Affected Wekan v4.73-v4.74 Fixed at Wekan v4.75 2021-01-11 More details
CVE-2021-20654 VRF#20-08-MDPNJ. VN: JVN#80785288 for attachments. New report JVN#74210258, investigating	Fieldbleed	JVN#80785288 2020-03-23 17.03 EET JVN#74210258 2022-05-23 13.33 EET	Cyb3rjunky and swsjona about input fields. Ryoya Koyama at Mitsui Bussan Secure Directions, Inc. (https://www.mbsd.jp/) about Javascript inside .SVG attachment Did send detailed report!	XSS: Javascript saved to field, and Javascript inside .SVG attachment, is run when page is reloaded Affected Wekan v3.12-v4.11 Fixed at Wekan v4.12 2020-06-08 More details
VRF#20-08-SGSSC.	Bypassbleed	2020-02-26 01:36 EET	Dejan Zelic, Justin Benjamin and others at Offensive Security Did send detailed report and helped fixing!	Auth Bypass Unauthenticated SSRF DoS Unauthenticated Username Change Unauthenticated Os Statistics Affected Wekan v0.7-v3.80 Fixed at Wekan v3.81 2020-03-01 More details
VRF#20-08-DDFJJ.	Userbleed	2018-06-12	Adrian Genaid at PLANTA Projektmanagement-Systeme GmbH Did send detailed report and fix!	User data is published unconditionally Sessions can be taken over Affected Wekan v0.11.1-rc2 - v1.03 Fixed at Wekan v1.04 2018-06-12 More details
CVE-2018-1000549, In Progress Update Request 938446	Brutebleed	2018-06-12	Shadow Vault Did not report to Wekan, was found later from CVE	Email / Username Enumeration Affected Wekan v1.04-v2.43 Fixed at Wekan v2.44 2019-03-11. More details
VRF#20-08-LZGVF.	Framebleed	2018-03-25	Team Did send detailed report!	Cross Frame Scripting Clickjacking Improper Cache Control Affected Wekan v0.7-v0.79 More details