Hall of Fame image from https://openclipart.org/detail/120343/trophy
Back to Hall of Fame Contents Back to Wekan Website

Contents / Emailbleed

CVE Vulnerability name Date Responsible Security Disclosure by Vulnerabilities
TODO Emailbleed

2021-01-26 12.42 EET Georg Krause

Did send detailed report!
  • Security: SMTP password visible to Admin at Admin Panel by using browser inspect to see behind asterisks
  • Affected Wekan v1.59-v4.98
  • Fixed at Wekan v4.99 2021-02-25


Timeline Details
2020-03-23 17:03 EET Report received.

Georg Krause wrote:

Hello,
today I noticed a security issue: Everyone with access to the admin panel is able to copy the SMTP password. Its hidden behind **** in the password field, but copy actions are possible. Its better to not expose the password in plain text to the frontend in any way. Please fix asap.

Kind regards, Georg
2021-02-25 Wekan v4.99 2021-02-25 released by xet7 with fix.


Back to Hall of Fame Contents Back to Wekan Website