|CVE||Vulnerability name||Date||Responsible Security Disclosure by||Vulnerabilities|
|In Progress VRF#20-08-LZGVF||Framebleed
Did send report
|2018-03-09||Team asked about scope of Wekan Responsible Security Disclosure.|
|2018-03-10||xet7 added more details to Wekan Security page about scope and security in Wekan.|
Report received, and discussed with Wekan users and developers. Max security can be
enabled, unless on some platform it makes Wekan not work at all. Report content:
Cross Frame Scripting, Clickjacking and Improper Cache Control.
We regularly conducts security testing on open source popular frameworks.
released by xet7: Added meteor
for security: browser-policy for cross-site
and clickjacking protection, and eluck:accounts-lockout
for bruteforce login protection. xet7 tested: PoC does not work anymore after addition of browser-policy.
xet7 sent them info about Wekan release, so that they can test is there is still something to fix. This affected Wekan v0.7-v0.79
|2018-05-20||xet7 published all details of their report to this HoF page.