CVE-2025-52576 Information

Jun 26, 2025 cve

Description

Kanboard is project management software that focuses on the Kanban methodology. Prior to version 1.2.46 Kanboard is vulnerable to username enumeration and IP spoofing-based brute-force protection bypass. By analyzing login behavior and abusing trusted HTTP headers an attacker can determine valid usernames and circumvent rate-limiting or blocking mechanisms. Any organization running a publicly accessible Kanboard instance is affected especially if relying on IP-based protections like Fail2Ban or CAPTCHA for login rate-limiting. Attackers with access to the login page can exploit this flaw to enumerate valid usernames and bypass IP-based blocking mechanisms putting all user accounts at higher risk of brute-force or credential stuffing attacks. Version 1.2.46 contains a patch for the issue.

Reference

https://github.com/kanboard/kanboard/blob/cbb7e60fb595ff4572bb8801b275a0b451c4bda0/app/Model/UserLockingModel.php#L101-L104 https://github.com/kanboard/kanboard/blob/cbb7e60fb595ff4572bb8801b275a0b451c4bda0/app/Subscriber/AuthSubscriber.php#L96-L108 https://github.com/kanboard/kanboard/commit/3079623640dc39f9c7b0c840d2a79095331051f1 https://github.com/kanboard/kanboard/security/advisories/GHSA-qw57-7cx6-wvp7 https://github.com/kanboard/kanboard/security/advisories/GHSA-qw57-7cx6-wvp7

CNNVD-202506-3194 (Published: 2025-06-25)

Share on:

CVE-2025-52576 Information

Description

Reference

Related CNNVD