{"id":"CVE-2023-28485","details":"A stored cross-site scripting (Stored XSS) vulnerability in file preview in WeKan before 6.75 allows remote authenticated users to inject arbitrary web script or HTML via names of file attachments. Any user can obtain the privilege to rename within their own board (where they have BoardAdmin access), and renameAttachment does not block XSS payloads.","modified":"2026-04-10T04:56:56.910275Z","published":"2023-06-26T16:15:09.537Z","references":[{"type":"WEB","url":"https://wekan.github.io/"},{"type":"EVIDENCE","url":"http://packetstormsecurity.com/files/172649/Wekan-6.74-Cross-Site-Scripting.html"},{"type":"EVIDENCE","url":"https://wekan.github.io/hall-of-fame/filebleed/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/wekan/wekan","events":[{"introduced":"0"},{"fixed":"aa0e1955b0ab3c0c62b3ccb3c9e1fd24b83debe9"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"6.75"}]}}],"versions":["4.30","4.31","stable","v0.10-rc2","v0.10.0","v0.10.0-rc1","v0.10.0-rc3","v0.10.0-rc4","v0.11.0-rc1","v0.11.0-rc2","v0.11.1-rc1","v0.11.1-rc2","v0.12","v0.13","v0.16","v0.17","v0.18","v0.19","v0.20","v0.21","v0.22","v0.23","v0.24","v0.25","v0.26","v0.27","v0.28","v0.29","v0.30","v0.31","v0.32","v0.33","v0.34","v0.35","v0.36","v0.37","v0.38","v0.39","v0.40","v0.41","v0.42","v0.43","v0.44","v0.45","v0.46","v0.47","v0.48","v0.49","v0.50","v0.51","v0.52","v0.54","v0.55","v0.56","v0.57","v0.58","v0.59","v0.60","v0.61","v0.62","v0.63","v0.65","v0.66","v0.67","v0.68","v0.69","v0.70","v0.71","v0.72","v0.73","v0.74","v0.75","v0.76","v0.77","v0.78","v0.79","v0.80","v0.81","v0.82","v0.83","v0.84","v0.85","v0.86","v0.87","v0.88","v0.89","v0.9.0-rc1","v0.9.0-rc2","v0.90","v0.91","v0.92","v0.93","v0.94","v0.95","v1.06","v1.07","v1.08","v1.09","v1.10","v1.11","v1.12","v1.13","v1.14","v1.15","v1.16","v1.17","v1.18","v1.19","v1.20","v1.21","v1.23","v1.24","v1.25","v1.26","v1.27","v1.29","v1.30","v1.31","v1.32","v1.33","v1.34","v1.35","v1.36","v1.37","v1.38","v1.39","v1.40","v1.41","v1.42","v1.43","v1.44","v1.45","v1.46","v1.47","v1.49-edge-1","v1.49.1","v1.50.1","v1.50.2","v1.50.3","v1.51.1","v1.51.2","v1.52.1","v1.53.1","v1.53.2","v1.53.3","v1.53.4","v1.53.5","v1.53.6","v1.53.7","v1.53.8","v1.53.9","v1.55.1","v1.57","v1.58","v1.59","v1.60","v1.61","v1.62","v1.63","v1.64","v1.64.1","v1.64.2","v1.65","v1.66","v1.67","v1.68","v1.69","v1.69.2","v2.60.1","v2.94","v2.98","v2.99","v3.00","v3.01","v3.02","v3.03","v3.04","v3.05","v3.06","v3.07","v3.08","v3.09","v3.10","v3.11","v3.12","v3.13","v3.14","v3.15","v3.16","v3.17","v3.18","v3.19","v3.20","v3.21","v3.22","v3.23","v3.24","v3.25","v3.26","v3.27","v3.29","v3.30","v3.31","v3.32","v3.33","v3.34","v3.35","v3.36","v3.37","v3.38","v3.39","v3.40","v3.41","v3.42","v3.43","v3.44","v3.45","v3.46","v3.47","v3.48","v3.49","v3.50","v3.51","v3.52","v3.53","v3.54","v3.55","v3.56","v3.57","v3.58","v3.59","v3.60","v3.61","v3.62","v3.63","v3.64","v3.65","v3.66","v3.67","v3.68","v3.69","v3.70","v3.71","v3.73","v3.74","v3.75","v3.76","v3.77","v3.78","v3.79","v3.80","v3.81","v3.82","v3.83","v3.84","v3.85","v3.86","v3.87","v3.88","v3.89","v3.90","v3.91","v3.92","v3.93","v3.94","v3.95","v3.96","v3.97","v3.98","v3.99","v4.00","v4.01","v4.02","v4.03","v4.04","v4.05","v4.06","v4.07","v4.08","v4.09","v4.10","v4.11","v4.12","v4.13","v4.14","v4.15","v4.16","v4.17","v4.18","v4.19","v4.20","v4.21","v4.22","v4.23","v4.24","v4.25","v4.26","v4.27","v4.28","v4.29","v4.32","v4.33","v4.34","v4.35","v4.36","v4.37","v4.38","v4.39","v4.40","v4.41","v4.42","v4.43","v4.44","v4.45","v4.46","v4.47","v4.48","v4.49","v4.50","v4.51","v4.52","v4.53","v4.54","v4.55","v4.56","v4.57","v4.58","v4.59","v4.60","v4.61","v4.62","v4.63","v4.64","v4.65","v4.66","v4.67","v4.68","v4.69","v4.70","v4.71","v4.72","v4.73","v4.74","v4.75","v4.76","v4.77","v4.78","v4.79","v4.80","v4.81","v4.82","v4.83","v4.84","v4.85","v4.86","v4.87","v4.88","v4.89","v4.90","v4.91","v4.92","v4.93","v4.94","v4.95","v4.96","v4.98","v4.99","v5.00","v5.01","v5.02","v5.03","v5.04","v5.05","v5.06","v5.07","v5.08","v5.09","v5.10","v5.11","v5.12","v5.13","v5.14","v5.15","v5.16","v5.17","v5.18","v5.19","v5.20","v5.21","v5.22","v5.23","v5.24","v5.25","v5.26","v5.27","v5.29","v5.30","v5.31","v5.32","v5.33","v5.34","v5.35","v5.36","v5.37","v5.38","v5.39","v5.40","v5.41","v5.42","v5.43","v5.44","v5.45","v5.46","v5.47","v5.48","v5.49","v5.50","v5.51","v5.52","v5.53","v5.54","v5.55","v5.56","v5.57","v5.58","v5.59","v5.60","v5.61","v5.62","v5.63","v5.64","v5.65","v5.66","v5.67","v5.68","v5.69","v5.70","v5.71","v5.72","v5.73","v5.74","v5.75","v5.76","v5.77","v5.78","v5.79","v5.80","v5.81","v5.82","v5.83","v5.84","v5.85","v5.86","v5.87","v5.88","v5.89","v5.90","v5.91","v5.92","v5.93","v5.94","v5.95","v5.96","v5.97","v5.98","v5.99","v6.00","v6.01","v6.02","v6.03","v6.04","v6.05","v6.10","v6.11","v6.12","v6.13","v6.14","v6.15","v6.16","v6.17","v6.18","v6.23","v6.24","v6.25","v6.26","v6.27","v6.28","v6.29","v6.30","v6.31","v6.32","v6.33","v6.34","v6.35","v6.36","v6.37","v6.38","v6.39","v6.40","v6.41","v6.42","v6.43","v6.44","v6.45","v6.46","v6.47","v6.48","v6.49","v6.50","v6.51","v6.52","v6.53","v6.54","v6.55","v6.56","v6.57","v6.58","v6.59","v6.60","v6.61","v6.62","v6.65","v6.67","v6.68","v6.69","v6.70","v6.71","v6.72","v6.73","v6.74"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-28485.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}]}