### Key Information #### Vulnerability Type - **Authenticated Admin Remote Code Execution via Unsafe Deserialization of Events** #### Affected Versions - **Affected versions**: <= 1.2.46 - **Patched version**: 1.2.47 #### Vulnerability Description - **Summary**: An unsafe deserialization vulnerability in the `ProjectActivityDeserializer` allows admins to inject arbitrary PHP objects by modifying the `event_name` field in the `project_activities` table. A malicious actor can exploit this field to use a PHP gadget to write a web shell into the `plugins/` folder, which then gives remote code execution on the host system. #### Vulnerability Details - **Problematic code**: The problematic code is in `kanboard/app/Serializer/ProjectActivityEventTransformer.php`. - **Exploitation**: The app uses `unserialize()` to deserialize data into a PHP object. If an attacker modifies the `event_name` field with a specific value, it triggers the deserialization of a PHP gadget that writes a web shell. #### Exploitation Steps (PoC) 1. Log in as default admin user. 2. Create a project and a task. 3. Download and unzip the database. 4. Find a target row in the `project_activities` table and update the `event_name` field to `comment.create`. 5. Download the following PHP gadget file and put it in your working directory. 6. Use the Python script to update the `data` column for the row you're targeting. 7. Reload the site and visit the task activity stream. #### Impact - **Impact**: - Arbitrary remote code execution on the host as the PHP process user. - Full filesystem access, including writing to the plugins directory. - Persistence (reverse shell or web shell survives restart). - Data exfiltration, data tampering, or denial of service. #### Security Severity - **Severity**: Critical #### CVE ID - **CVE-2020-5070**