CVE-2025-52576

EPSS 0.3%
Veröffentlicht 25.06.2025 16:46:01
Zuletzt bearbeitet 22.08.2025 18:23:53
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Kanboard vulnerable to Username Enumeration via Login Behavior and Bruteforce Protection Bypass

Kanboard is project management software that focuses on the Kanban methodology. Prior to version 1.2.46, Kanboard is vulnerable to username enumeration and IP spoofing-based brute-force protection bypass. By analyzing login behavior and abusing trusted HTTP headers, an attacker can determine valid usernames and circumvent rate-limiting or blocking mechanisms. Any organization running a publicly accessible Kanboard instance is affected, especially if relying on IP-based protections like Fail2Ban or CAPTCHA for login rate-limiting. Attackers with access to the login page can exploit this flaw to enumerate valid usernames and bypass IP-based blocking mechanisms, putting all user accounts at higher risk of brute-force or credential stuffing attacks. Version 1.2.46 contains a patch for the issue.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 7

NVD 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Kanboard ≫ Kanboard Version < 1.2.46

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.3%	0.213

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
security-advisories@github.com	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE-203 Observable Discrepancy

The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.

https://github.com/kanboard/kanboard/security/advisories/GHSA-qw57-7cx6-wvp7

Vendor Advisory

https://github.com/kanboard/kanboard/commit/3079623640dc39f9c7b0c840d2a79095331051f1

Patch

https://github.com/kanboard/kanboard/blob/cbb7e60fb595ff4572bb8801b275a0b451c4bda0/app/Model/UserLockingModel.php#L101-L104

Product

https://github.com/kanboard/kanboard/blob/cbb7e60fb595ff4572bb8801b275a0b451c4bda0/app/Subscriber/AuthSubscriber.php#L96-L108

Product

https://nvd.nist.gov/vuln/detail/CVE-2025-52576

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-52576

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-52576

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-52576