Wekan — Hall of Fame / Framebleed

CVE	Vulnerability name	Date	Responsible Security Disclosure by	Vulnerabilities
In Progress VRF#20-08-LZGVF	Framebleed	2018-03-25	Team Did send detailed report!	Cross Frame Scripting Clickjacking Improper Cache Control Affected Wekan v0.7-v0.79

Timeline	Details
2018-03-09	Team asked about scope of Wekan Responsible Security Disclosure.
2018-03-10	xet7 added more details to Wekan Security page about scope and security in Wekan.
2018-03-25	Report received, and discussed with Wekan users and developers. Max security can be enabled, unless on some platform it makes Wekan not work at all. Report content: Bug Type Cross Frame Scripting, Clickjacking and Improper Cache Control. Report Team here. We regularly conducts security testing on open source popular frameworks. We found: Cross Frame Scripting and Clickjacking bugs in wekan due to lack of X-Frame-Options:SAMEORIGIN headers. Besides, We found no CSP's are present. Cache control isn't implemented. PoC: Iframe src=url html object
2018-04-04	Wekan v0.80 released by xet7: Added meteor packages for security: browser-policy for cross-site scripting and clickjacking protection, and eluck:accounts-lockout for bruteforce login protection. xet7 tested: PoC does not work anymore after addition of browser-policy. xet7 sent them info about Wekan release, so that they can test is there is still something to fix. This affected Wekan v0.7-v0.79
2018-05-20	xet7 published all details of their report to this HoF page. DONE Feature Request: Customize variables for eluck:accounts-lockout TODO Check that can Cache Control be added Wekan? For Friend platform where browser-policy and eluck:accounts-lockout can not be used because they break functionality, implement required Friend login auth for existing Wekan Friend branch that has existing Docker container and in progress issue about could Sandstorm run inside of Friend in desktop window (iframe), that is also mentioned at bottom of Wekan blog post about Wekan v1.00 and platforms.

Contents / Framebleed