CVE-2024–22720 / HTML Injection Vulnerability in Kanboard Group Management
Kanboard is a project management software that focuses on the Kanban methodology. It provides a visual approach to managing tasks, allowing users to see the progress of their work at a glance. The main interface is a board divided into columns, each representing a different stage of the workflow, such as “To Do,” “In Progress,” and “Done.” Users can create tasks in the form of cards, which can be moved between columns to reflect their current status. This setup helps teams to limit work-in-progress and manage workflow more efficiently.
Today, I’m going to discuss HTML Injection, a vulnerability that may seem minor but can be exploited maliciously. Despite its seemingly low impact, it can be used to automatically redirect users to different domains and even facilitate credential theft.
In this penetration test, I was logged into Kanboard as an administrator. My focus was on group management, where I explored the process of creating a new group.
Upon creating a new group, I identified a vulnerability in the ‘name’ field. I initially used the <h1> tags to test the field’s response. If the text size increased, it would confirm the vulnerability. After saving the group name successfully, I noticed that the tags were not executed, suggesting a potential issue.
I then added a test user, “Pentest” to the newly created group. As shown in the accompanying image, the user was successfully included in the group.
The real test came when I logged in as the “Pentest” user. In the ‘Group membership(s)’ field, I observed that the HTML tags were executed. This confirmed the vulnerability and highlighted its potential for malicious use, increasing its criticality.
Leveraging this HTML Injection, I crafted a payload that would automatically redirect any user accessing their profile to a malicious domain. This can be clearly seen in the gif provided below.
<meta http-equiv=”refresh” content=”0; url=http://evil.com/">
Furthermore, I experimented with different tags. In one instance, I used a tag that redirected users to a domain under my control upon clicking a link. This fake page prompted users to enter their username and password.
<a href=”https://cupc4k3.one" target=”_blank”>Click me!</a>
To conclude this article, I’ve briefly outlined the impacts and dangers a simple HTML Injection can pose to an application or company. In the context of a penetration test, not limited to just Kanboard but in various scenarios, such vulnerabilities could potentially affect numerous users.
Sometimes, a seemingly simple issue can have significant consequences and elevate the sophistication of your penetration test.
