<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Xboard - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/vendors/xboard/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 02 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/vendors/xboard/feed.xml" rel="self" type="application/rss+xml"/><item><title>V2Board and Xboard Authentication Bypass via Exposed Tokens</title><link>https://feed.craftedsignal.io/briefs/2024-01-v2board-xboard-auth-bypass/</link><pubDate>Tue, 02 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-v2board-xboard-auth-bypass/</guid><description>V2Board and Xboard are vulnerable to authentication bypass due to exposing authentication tokens in HTTP response bodies, allowing unauthenticated attackers to gain complete account access.</description><content:encoded><![CDATA[<p>V2Board versions 1.6.1 through 1.7.4 and Xboard versions through 0.1.9 are vulnerable to an authentication bypass vulnerability, tracked as CVE-2026-39912. This vulnerability exists in the <code>loginWithMailLink</code> endpoint when the <code>login_with_mail_link_enable</code> feature is active. An unauthenticated attacker can exploit this vulnerability by sending a POST request to the <code>loginWithMailLink</code> endpoint with a known email address. The server responds with a full authentication URL containing a token, which can then be exchanged at the <code>token2Login</code> endpoint to obtain a valid bearer token, granting the attacker complete account access, potentially including administrative privileges. This allows for a complete account takeover without any prior authentication.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker identifies a target V2Board or Xboard instance running a vulnerable version (V2Board 1.6.1-1.7.4 or Xboard &lt;= 0.1.9) with the <code>login_with_mail_link_enable</code> feature enabled.</li>
<li>The attacker identifies a valid email address associated with an account on the target V2Board/Xboard instance.</li>
<li>The attacker sends an unauthenticated POST request to the <code>/loginWithMailLink</code> endpoint, including the target email address in the request body.</li>
<li>The server responds with an HTTP response body containing a URL that includes an authentication token (e.g., <code>https://example.com/auth?token=YOUR_TOKEN</code>).</li>
<li>The attacker extracts the authentication token from the URL provided in the response.</li>
<li>The attacker sends a request (likely POST) to the <code>/token2Login</code> endpoint, providing the extracted authentication token in the request body.</li>
<li>The server validates the token and responds with a valid bearer token.</li>
<li>The attacker uses the acquired bearer token to authenticate to the application and gain complete account access, potentially including administrative privileges, allowing them to modify settings, access sensitive data, and perform unauthorized actions.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-39912 allows an unauthenticated attacker to gain complete control of user accounts on affected V2Board and Xboard instances. This can lead to data breaches, service disruption, and unauthorized modifications to the platform. Given that V2Board and Xboard are often used for subscription management and content delivery, a successful attack could compromise sensitive user data, including payment information and personal details. The vulnerability has a CVSS v3.1 base score of 9.1, indicating its critical severity.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Disable the <code>login_with_mail_link_enable</code> feature immediately as a temporary mitigation.</li>
<li>Upgrade V2Board to a version later than 1.7.4 or Xboard to a version later than 0.1.9 to patch CVE-2026-39912.</li>
<li>Deploy the Sigma rule &quot;Detect V2Board/Xboard loginWithMailLink Request&quot; to monitor for suspicious requests to the <code>/loginWithMailLink</code> endpoint.</li>
<li>Deploy the Sigma rule &quot;Detect V2Board/Xboard token2Login Request&quot; to monitor for suspicious requests to the <code>/token2Login</code> endpoint.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>CVE-2026-39912</category><category>v2board</category><category>xboard</category><category>authentication-bypass</category><category>webserver</category></item></channel></rss>