ASA-2019-00103 – Jenkins: Cross-Site Request Forgery (CSRF) vulnerability and missing permission checks in Kanboard Plugin allowed Server-Side Request Forgery (SSRF)

Kanboard Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to submit a GET request to an attacker-specified URL. Additionally, this form validation method did not require POST requests, resulting in a CSRF vulnerability.