Security Fix 4: Cross-board card move without destination authorization.

Thanks to Joshua Rogers of joshua.hu, Twitter MegaManSec !
2026-01-04 00:28:49 +01:00 · 2025-12-29 16:39:23 +02:00 · 2025-12-29 16:39:23 +02:00 · 198509e760
commit 198509e760
parent 67cb47173c
1 changed files with 31 additions and 0 deletions
--- a/models/cards.js
+++ b/models/cards.js
@ -4292,6 +4292,37 @@ JsonRoutes.add('GET', '/api/boards/:boardId/cards_count', function(
        );
      }
      if (newBoardId && newSwimlaneId && newListId) {
+        // Validate destination board access
+        Authentication.checkBoardAccess(req.userId, newBoardId);
+
+        // Validate that the destination list exists and belongs to the destination board
+        const destList = ReactiveCache.getList({
+          _id: newListId,
+          boardId: newBoardId,
+          archived: false,
+        });
+        if (!destList) {
+          JsonRoutes.sendResult(res, {
+            code: 404,
+            data: { error: 'Destination list not found or does not belong to destination board' },
+          });
+          return;
+        }
+
+        // Validate that the destination swimlane exists and belongs to the destination board
+        const destSwimlane = ReactiveCache.getSwimlane({
+          _id: newSwimlaneId,
+          boardId: newBoardId,
+          archived: false,
+        });
+        if (!destSwimlane) {
+          JsonRoutes.sendResult(res, {
+            code: 404,
+            data: { error: 'Destination swimlane not found or does not belong to destination board' },
+          });
+          return;
+        }
+
        // Move the card to the new board, swimlane, and list
        Cards.direct.update(
          {