Impact
Kanboard versions up to 1.2.52 contain a flaw in UserViewController::removeSession that does not validate the session ID supplied by the requester before passing it to RememberMeSessionModel::remove. As a result, any authenticated user can delete session IDs belonging to other users, including administrators, causing those users to be forced to re-authenticate and disrupting their access. This flaw is a session fixation weakness (CWE-639) and primarily leads to denial of service by removing persistent login sessions.
Affected Systems
Vulnerable are installations of Kanboard with versions 1.2.52 or earlier, provided by the vendor Kanboard. The patch that removes the issue is included in commit 928c68aa2b7c00092dd71084d329b912e229f3d1 and is available in releases after 1.2.52.
Risk and Exploitability
The CVSS score of 5.3 indicates a moderate severity. Because EPSS is not available and the vulnerability is not listed in the CISA KEV catalog, the public exploitation likelihood is uncertain, but the flaw would be easy to use once an attacker has an authenticated session. The path to exploitation requires an attacker to possess valid credentials and then submit crafted session IDs to the deletion endpoint. Once exploited, the denial of service can affect any user, including administrators, leading to service disruption for the affected Kanboard instance.
OpenCVE Enrichment