CVE-2025-55010
9.1
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Summary
Kanboard is project management software that focuses on the Kanban methodology. Prior to version 1.2.47, an unsafe deserialization vulnerability in the ProjectEventActvityFormatter allows admin users the ability to instantiate arbitrary php objects by modifying the event["data"] field in the project_activities table. A malicious actor can update this field to use a php gadget to write a web shell into the /plugins folder, which then gives remote code execution on the host system. This issue has been patched in version 1.2.47.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| kanboard | kanboard | < 1.2.47 | affected |
Weaknesses
- CWE-502: CWE-502: Deserialization of Untrusted Data
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: total
Additional References
References
- https://github.com/kanboard/kanboard/security/advisories/GHSA-359x-c69j-q64r
- https://github.com/kanboard/kanboard/commit/7148ac092e5db6b33e0fc35e04bca328d96c1f6f
- https://github.com/kanboard/kanboard/blob/b033c0e0f982f8158e240bce8ab54c29727f8efe/app/Formatter/ProjectActivityEventFormatter.php#L43-L57
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.