Hall of Fame image from https://openclipart.org/detail/120343/trophy
Back to Hall of Fame Contents Back to Wekan Website

Contents / Framebleed

CVE Vulnerability name Date Responsible Security Disclosure by Vulnerabilities
In Progress VRF#20-08-LZGVF Framebleed

2018-03-25 Team

Did send report
  • Cross Frame Scripting
  • Clickjacking
  • Improper Cache Control
  • Affected Wekan v0.7-v0.79


Timeline Details
2018-03-09 Team asked about scope of Wekan Responsible Security Disclosure.
2018-03-10 xet7 added more details to Wekan Security page about scope and security in Wekan.
2018-03-25 Report received, and discussed with Wekan users and developers. Max security can be enabled, unless on some platform it makes Wekan not work at all. Report content:

Bug Type
Cross Frame Scripting, Clickjacking and Improper Cache Control.

Report
Team here.
We regularly conducts security testing on open source popular frameworks.
We found:
  • Cross Frame Scripting and Clickjacking bugs in wekan due to lack of X-Frame-Options:SAMEORIGIN headers.
  • Besides, We found no CSP's are present.
  • Cache control isn't implemented.
PoC: Iframe src=url html object

2018-04-04 Wekan v0.80 released by xet7: Added meteor packages for security: browser-policy for cross-site scripting and clickjacking protection, and eluck:accounts-lockout for bruteforce login protection. xet7 tested: PoC does not work anymore after addition of browser-policy. xet7 sent them info about Wekan release, so that they can test is there is still something to fix. This affected Wekan v0.7-v0.79

2018-05-20 xet7 published all details of their report to this HoF page.

DONE
TODO


Back to Hall of Fame Contents Back to Wekan Website