### [CVE-2024-54001](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-54001)
![](https://img.shields.io/static/v1?label=Product&message=kanboard&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=%3C%201.2.41%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=0%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-80%3A%20Improper%20Neutralization%20of%20Script-Related%20HTML%20Tags%20in%20a%20Web%20Page%20(Basic%20XSS)&color=brightgreen)

### Description

Kanboard is project management software that focuses on the Kanban methodology. HTML can be injected and stored into the application settings section. The fields application_language, application_date_format,application_timezone and application_time_format allow arbirary user input which is reflected. The vulnerability can become xss if the user input is javascript code that bypass CSP. This vulnerability is fixed in 1.2.41.

### POC

#### Reference
- https://github.com/kanboard/kanboard/security/advisories/GHSA-4vvp-jf72-chrj

#### Github
No PoCs found on GitHub currently.