Can you explain this vulnerability to me?

This vulnerability in Wekan up to version 18.15 is an authorization flaw in how card updates are handled. It allows board members, and potentially other authenticated users, to add or remove arbitrary user IDs in the vote.positive and vote.negative arrays. This means they can forge votes and vote on behalf of other users without authorization. The issue was fixed in version 18.16 by blocking direct client-side updates to voting fields and enforcing strict server-side authorization checks to ensure only the caller's own userId can be modified in voting arrays. [4]

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability can impact you by allowing unauthorized users or board members to manipulate voting results on Wekan boards. They can add or remove votes on behalf of other users, leading to vote forgery and potentially skewed decision-making processes. This undermines the integrity of the voting system and can cause incorrect or unfair outcomes in collaborative environments. [4]

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, immediately upgrade Wekan to version 18.16 or later where the issue is fixed. The fix blocks direct client-side updates to card voting fields and routes all voting actions through secure server methods enforcing strict authorization checks. Ensure that only authenticated board members or explicitly permitted users can modify votes, and that only the caller's own userId can be added or removed from vote arrays. Avoid using vulnerable versions up to 18.15. [2, 4]

Useful 0 Not Useful 0