Wekan Hall of Fame
Hall of Fame image from https://openclipart.org/detail/120343/trophy


Report number Date Responsible Security Disclosure by Timeline
2. 2018-06-12 Adrian Genaid
2018-06-12 20:06 GMT+3
Report received. 5 Gold Star bonus points to Adrian Genaid for including code suggestion for fixing security issue!
2018-06-13 01:30 GMT+3
Wekan v1.04 released, includes security fix.
2018-06-26 16:07 GMT+3
Report content:

Hi, I just found a security issue in Wekan:
  • user data is published unconditionally
  • sessions can be taken over
  1. navigate to any standalone wekan instance (sign in page, public board, ...)
  2. open developer tools (in chrome)
  3. in console: "Meteor.subscribe('people', 999)"
  4. Users.find().fetch() => all users are shown
  5. have a look at the users: there are all login tokens in the results (under services)!
  6. In console: "localStorage.setItem('Meteor.loginToken', 'anylogintokenfromthelistyouwouldliketouse')"
  7. reload the page => logged in as the user you have the logintoken from...
  • the "people" publication (in 'server/publications/people.js') is not secured against access (should only be accessible by admins)
  • in general, only some fields of a user should be published (no need to publish the password or login tokens...)
  • I think this problem exists since the introduction of the admin panel

This can be solved by improving the "people" publication.
Some proposal:
Meteor.publish('people', function(limit) {
  check(limit, Number);

  if (!Match.test(this.userId, String)) {
    return [];

  const user = Users.findOne(this.userId);
  if (user && user.isAdmin) {
    return Users.find({}, {
      sort: {createdAt: -1},
      fields: {
        'username': 1,
        'profile.fullname': 1,
        'isAdmin': 1,
        'emails': 1,
        'createdAt': 1,
        'loginDisabled': 1,
  } else {
    return [];
1. 2018-03-25 Team 2018-03-09
Team asked about scope of Wekan Responsible Security Disclosure.
xet7 added more details to Wekan Security Disclosure wiki page about scope and security in Wekan.
Report received, and discussed with Wekan users and developers. Max security can be enabled, unless on some platform it makes Wekan not work at all. Report content:

Bug Type
Cross Frame Scripting, Clickjacking and Improper Cache Control.

Team here.
We regularly conducts security testing on open source popular frameworks.
We found:
  • Cross Frame Scripting and Clickjacking bugs in wekan due to lack of X-Frame-Options:SAMEORIGIN headers.
  • Besides, We found no CSP's are present.
  • Cache control isn't implemented.
PoC: Iframe src=url html object

Wekan release v0.80: Added meteor packages for security: browser-policy for cross-site scripting and clickjacking protection, and eluck:accounts-lockout for bruteforce login protection. xet7 tested: PoC does not work anymore after addition of browser-policy. xet7 sent them info about Wekan release, so that they can test is there is still something to fix.

xet7 sent email to them did they have time to test Wekan.

They replied by email: not yet.

xet7 published all details of their report to this HoF page.