Affected by GO-2026-4480 and 20 other vulnerabilities

GO-2026-4480: Vikunja Vulnerable to XSS Via Task Preview in code.vikunja.io/api

GO-2026-4551: Vijkunja has Weak Password Policy Combined with Persistent Sessions After Password Change in code.vikunja.io/api

GO-2026-4552: Vikunja has Reflected HTML Injection via filter Parameter in its Projects Module in code.vikunja.io/api

GO-2026-4553: Vikunja: Stored XSS via Unsanitized SVG Attachment Upload Leads to Token Exposure in code.vikunja.io/api

GO-2026-4556: Vikunja has Path Traversal in CLI Restore in code.vikunja.io/api

GO-2026-4575: Vikunja Vulnerable to Account Takeover via Password Reset Token Reuse in code.vikunja.io/api

GO-2026-4791: Vikunja has a Rate-Limit Bypass for Unauthenticated Users via Spoofed Headers in code.vikunja.io/api

GO-2026-4794: Vikunja has a 2FA Bypass via Caldav Basic Auth in code.vikunja.io/api

GO-2026-4797: Vikunja has an IDOR in Task Comments Allows Reading Arbitrary Comments in code.vikunja.io/api

GO-2026-4798: Vikunja’s Improper Access Control Enables Bypass of Administrator-Imposed Account Disablement in code.vikunja.io/api

GO-2026-4805: Vikunja has TOTP Reuse During Validity Window in code.vikunja.io/api

GO-2026-4811: Vikunja Affected by DoS via Image Preview Generation in code.vikunja.io/api

GO-2026-4846: Vikjuna: Webhook BasicAuth Credentials Exposed to Read-Only Project Collaborators via API in code.vikunja.io/api

GO-2026-4847: Vikunja has Cross-Project Information Disclosure via Task Relations — Missing Authorization Check on Related Task Read in code.vikunja.io/api

GO-2026-4848: Vikjuna: Link Share Hash Disclosure via ReadAll Endpoint Enables Permission Escalation in code.vikunja.io/api

GO-2026-4849: Vikunja Allows Disabled/Locked User Accounts to Authenticate via API Tokens, CalDAV, and OpenID Connect in code.vikunja.io/api

GO-2026-4850: Vikunja has a Link Share Delete IDOR — Missing Project Ownership Check Allows Cross-Project Link Share Deletion in code.vikunja.io/api

GO-2026-4851: Vikunja has SSRF via Todoist/Trello Migration File Attachment URLs that Allows Reading Internal Network Resources in code.vikunja.io/api

GO-2026-4852: Vikjuna Bypasses Webhook SSRF Protections During OpenID Connect Avatar Download in code.vikunja.io/api

GO-2026-4853: Vikjuna: IDOR in Task Attachment ReadOne Allows Cross-Project File Access and Deletion in code.vikunja.io/api

GO-2026-4855: Vikunja: Unauthenticated Instance-Wide Data Breach via Link Share Hash Disclosure Chained with Cross-Project Attachment IDOR in code.vikunja.io/api

handler

package

v0.19.2 Latest Latest Go to latest Published: Aug 17, 2022 License: AGPL-3.0 Imports: 26 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

git.kolaente.de/vikunja/api

Links

Open Source Insights

Documentation ¶

Index ¶

func CreateBlurHash(srcf io.Reader) (hash string, err error)
func GetListBackground(c echo.Context) error
func RemoveListBackground(c echo.Context) error
func SaveBackgroundFile(s *xorm.Session, auth web.Auth, list *models.List, srcf io.ReadSeeker, ...) (err error)
type BackgroundProvider

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func CreateBlurHash ¶ added in v0.19.0

func CreateBlurHash(srcf io.Reader) (hash string, err error)

func GetListBackground ¶

func GetListBackground(c echo.Context) error

GetListBackground serves a previously set background from a list It has no knowledge of the provider that was responsible for setting the background. @Summary Get the list background @Description Get the list background of a specific list. **Returns json on error.** @tags list @Produce octet-stream @Param id path int true "List ID" @Security JWTKeyAuth @Success 200 {} string "The list background file." @Failure 403 {object} models.Message "No access to this list." @Failure 404 {object} models.Message "The list does not exist." @Failure 500 {object} models.Message "Internal error" @Router /lists/{id}/background [get]

func RemoveListBackground ¶ added in v0.17.0

func RemoveListBackground(c echo.Context) error

RemoveListBackground removes a list background, no matter the background provider @Summary Remove a list background @Description Removes a previously set list background, regardless of the list provider used to set the background. It does not throw an error if the list does not have a background. @tags list @Produce json @Param id path int true "List ID" @Security JWTKeyAuth @Success 200 {object} models.List "The list" @Failure 403 {object} models.Message "No access to this list." @Failure 404 {object} models.Message "The list does not exist." @Failure 500 {object} models.Message "Internal error" @Router /lists/{id}/background [delete]

func SaveBackgroundFile ¶ added in v0.19.0

func SaveBackgroundFile(s *xorm.Session, auth web.Auth, list *models.List, srcf io.ReadSeeker, filename string, filesize uint64) (err error)

Types ¶

type BackgroundProvider ¶

type BackgroundProvider struct {
	Provider func() background.Provider
}

BackgroundProvider represents a thing which holds a background provider Lets us get a new fresh provider every time we need one.

func (*BackgroundProvider) SearchBackgrounds ¶

func (bp *BackgroundProvider) SearchBackgrounds(c echo.Context) error

SearchBackgrounds is the web handler to search for backgrounds

func (*BackgroundProvider) SetBackground ¶

func (bp *BackgroundProvider) SetBackground(c echo.Context) error

SetBackground sets an Image as list background

func (*BackgroundProvider) UploadBackground ¶

func (bp *BackgroundProvider) UploadBackground(c echo.Context) error

UploadBackground uploads a background and passes the id of the uploaded file as an Image to the Set function of the BackgroundProvider.

Source Files ¶

View all Source files

background.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL