Leantime: >> Leantime >> 3.0.6 Security Vulnerabilities
Cross Site Scripting vulnerability in Leantime v3.2.1 and before allows an authenticated attacker to execute arbitrary code and obtain sensitive information via the first name field in processMentions().
CVSS Score
5.4
EPSS Score
0.0
Published
2025-03-28
Leantime 3.0.6 is vulnerable to Cross Site Request Forgery (CSRF). This vulnerability allows malicious actors to perform unauthorized actions on behalf of authenticated users, specifically administrators.
CVSS Score
8.8
EPSS Score
0.004
Published
2024-04-10
Leantime 3.0.6 is vulnerable to HTML Injection via /dashboard/show#/tickets/newTicket.
CVSS Score
4.7
EPSS Score
0.002
Published
2024-04-10
In Leantime 3.0.6, a Cross-Site Scripting vulnerability exists within the ticket creation and modification functionality, allowing attackers to inject malicious JavaScript code into the title field of tickets (also known as to-dos). This stored XSS vulnerability can be exploited to perform Server-Side Request Forgery (SSRF) attacks.
CVSS Score
6.1
EPSS Score
0.002
Published
2024-04-10
Cross Site Scripting vulnerability in Leantime v3.0.6 allows attackers to execute arbitrary code via upload of crafted PDF file to the files/browse endpoint.
CVSS Score
7.6
EPSS Score
0.001
Published
2024-04-03
Cross Site Scripting vulnerability in Leantime 3.0.6 allows a remote attacker to execute arbitrary code via the to-do title parameter.
CVSS Score
5.4
EPSS Score
0.003
Published
2024-03-13
Leantime is a lean open source project management system. Starting in version 2.3.21, an authenticated user with commenting privileges can inject malicious Javascript into a comment. Once the malicious comment is loaded in the browser by a user, the malicious Javascript code executes. As of time of publication, a patch does not exist.
CVSS Score
8.9
EPSS Score
0.003
Published
2023-05-30