Hall of Fame image from https://openclipart.org/detail/120343/trophy
Back to Wekan Website


CVE Vulnerability name Date Responsible Security Disclosure by Vulnerabilities
TODO Emailbleed

2021-01-26 12.42 EET Georg Krause

Did send detailed report!
  • Security: SMTP password visible to Admin at Admin Panel by using browser inspect to see behind asterisks
  • Affected Wekan v1.59-v4.98
  • Fixed at Wekan v4.99 2021-02-25
  • More details
CVE-2021-3309 LDAPbleed

2021-01-26 0:42 EET robert-scheck

Did send report and sent fix! Although, report was at public GitHub issue, not via Responsible Security Disclosure

2021-01-11 EET xet7 - maintainer of Wekan

Did not notice security issue originally when merging new feature from pull request. Did fix issue when finally noticed it at production at Wekan demo server.
  • Due Cards and Broken Cards: As Admin user, at All Users view of Due Cards and Broken Cards, fixed to not show cards from other users private boards. This affected only logged in Admin user, not logged in other users.
  • Affected Wekan v4.73-v4.74
  • Fixed at Wekan v4.75 2021-01-11
  • More details

VRF#20-08-MDPNJ. VN: JVN#80785288 for attachments.

New report JVN#74210258, investigating

JVN#80785288 2020-03-23 17.03 EET
JVN#74210258 2022-05-23 13.33 EET
Cyb3rjunky and swsjona about input fields. Ryoya Koyama at Mitsui Bussan Secure Directions, Inc. (https://www.mbsd.jp/) about Javascript inside .SVG attachment

Did send report
VRF#20-08-SGSSC. Bypassbleed

2020-02-26 01:36 EET Dejan Zelic, Justin Benjamin and others at Offensive Security

Did send report and helped fixing
  • Auth Bypass
  • Unauthenticated SSRF
  • DoS
  • Unauthenticated Username Change
  • Unauthenticated Os Statistics
  • Affected Wekan v0.7-v3.80
  • Fixed at Wekan v3.81 2020-03-01
  • More details
VRF#20-08-DDFJJ. Userbleed

2018-06-12 Adrian Genaid at PLANTA Projektmanagement-Systeme GmbH

Did send both report and fix!
In Progress Update Request 938446

2018-06-12 Shadow Vault

Did not report to Wekan, was found later from CVE
VRF#20-08-LZGVF. Framebleed

2018-03-25 Team

Did send report
  • Cross Frame Scripting
  • Clickjacking
  • Improper Cache Control
  • Affected Wekan v0.7-v0.79
  • More details