8.8

CVE-2025-52560

Medienbericht

Exploit

EPSS 0.05%
Veröffentlicht 24.06.2025 02:56:26
Zuletzt bearbeitet 13.01.2026 19:35:51
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Kanboard is project management software that focuses on the Kanban methodology. Prior to version 1.2.46, Kanboard allows password reset emails to be sent with URLs derived from the unvalidated Host header when the application_url configuration is unset (default behavior). This allows an attacker to craft a malicious password reset link that leaks the token to an attacker-controlled domain. If a victim (including an administrator) clicks the poisoned link, their account can be taken over. This affects all users who initiate a password reset while application_url is not set. This issue has been patched in version 1.2.46.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Kanboard ≫ Kanboard Version < 1.2.46

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.05%	0.167

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
security-advisories@github.com	8.1	2.8	5.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

CWE-640 Weak Password Recovery Mechanism for Forgotten Password

The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.

https://www.heise.de/news/Kanboard-Sicherheitsluecke-ermoeglicht-Kontouebernahme-10457116.html

Medienbericht

heise Security

09.08.2025 11:36

https://github.com/kanboard/kanboard/security/advisories/GHSA-2ch5-gqjm-8p92

Vendor Advisory

Exploit

https://github.com/kanboard/kanboard/commit/bca2bd7ab95e7990e358fd35a7daf51a9c16aa75

Patch

https://nvd.nist.gov/vuln/detail/CVE-2025-52560

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-52560

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-52560

EUVD