DEBIAN-CVE-2025-55010

See a problem?
Please try reporting it to the source first.
Source
https://security-tracker.debian.org/tracker/CVE-2025-55010
Import Source
https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2025-55010.json
JSON Data
https://api.osv.dev/v1/vulns/DEBIAN-CVE-2025-55010
Upstream
Published
2025-08-12T16:15:28.540Z
Modified
2025-11-20T10:18:25.168061Z
Severity
  • 7.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

Kanboard is project management software that focuses on the Kanban methodology. Prior to version 1.2.47, an unsafe deserialization vulnerability in the ProjectEventActvityFormatter allows admin users the ability to instantiate arbitrary php objects by modifying the event["data"] field in the project_activities table. A malicious actor can update this field to use a php gadget to write a web shell into the /plugins folder, which then gives remote code execution on the host system. This issue has been patched in version 1.2.47.

References

Affected packages

Debian:14 / kanboard

Package

Name
kanboard
Purl
pkg:deb/debian/kanboard?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.2.47+ds-1

Affected versions

1.*

1.2.22+ds-1
1.2.23+ds-1
1.2.23+ds-1.1
1.2.25+ds-1
1.2.25+ds-2
1.2.25+ds-3
1.2.26+ds-1
1.2.26+ds-2
1.2.26+ds-3
1.2.26+ds-4
1.2.30+ds-1
1.2.31+ds-1
1.2.31+ds2-1
1.2.44+ds-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2025-55010.json"