exploitDog

CVE-2025-65781

Опубликовано: 15 дек. 2025

Источник: nvd

CVSS3: 8.2

EPSS Низкий

Описание

An issue was discovered in Wekan The Open Source kanban board system up to version 18.15, fixed in 18.16. Attachment upload API treats the Authorization bearer value as a userId and enters a non-terminating body-handling branch for any non-empty bearer token, enabling trivial application-layer DoS and latent identity-spoofing.

Ссылки

https://github.com/wekan/wekan
Product
https://github.com/wekan/wekan/blob/main/CHANGELOG.md#v816-2025-11-02-wekan--release
Release Notes
https://github.com/wekan/wekan/commit/ccd90343394f433b287733ad0a33c08e0a71f53c
Patch
https://wekan.fi/hall-of-fame/spacebleed/
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:wekan_project:wekan:*:*:*:*:*:*:*:*

Версия до 8.16 (исключая)

EPSS

Процентиль: 19%

0.00061

Низкий

8.2 High

CVSS3

Дефекты

CWE-287

Связанные уязвимости

GHSA-j27j-25gc-gv9v

CVSS3: 8.2

github

около 2 месяцев назад

An issue was discovered in Wekan The Open Source kanban board system up to version 18.15, fixed in 18.16. Attachment upload API treats the Authorization bearer value as a userId and enters a non-terminating body-handling branch for any non-empty bearer token, enabling trivial application-layer DoS and latent identity-spoofing.

EPSS

Процентиль: 19%

0.00061

Низкий

8.2 High

CVSS3

Дефекты

CWE-287