CVE-2025-28254

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-28254
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-28254.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-28254
Aliases
Published
2025-03-28T21:15:17.710Z
Modified
2025-11-20T12:35:03.797178Z
Severity
  • 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

Cross Site Scripting vulnerability in Leantime v3.2.1 and before allows an authenticated attacker to execute arbitrary code and obtain sensitive information via the first name field in processMentions().

References

Affected packages

Git / github.com/leantime/leantime

Affected ranges

Type
GIT
Repo
https://github.com/leantime/leantime
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
ce1d2073e4601183e1bdd90f4b433d16aee46a50

Affected versions

v0.*

v0.9.5-alpha

v2.*

v2.0
v2.0.1
v2.0.10
v2.0.11
v2.0.12
v2.0.13
v2.0.14
v2.0.2
v2.0.3
v2.0.4
v2.0.5
v2.0.6
v2.0.7
v2.0.8
v2.0.9
v2.1
v2.1-beta
v2.1-beta2
v2.1-beta3
v2.1-beta4b
v2.1-beta5
v2.1-beta6
v2.1.1
v2.1.2
v2.1.3
v2.1.4
v2.1.5
v2.1.6
v2.1.7
v2.1.8
v2.1.9
v2.2.0
v2.2.1
v2.2.10
v2.2.11
v2.2.2
v2.2.3
v2.2.4
v2.2.5
v2.2.6
v2.2.7
v2.2.8
v2.2.9
v2.3-beta
v2.3.0-beta
v2.3.1-beta
v2.3.10
v2.3.11
v2.3.12
v2.3.13
v2.3.14
v2.3.15
v2.3.16
v2.3.17
v2.3.18
v2.3.19
v2.3.2
v2.3.20
v2.3.21
v2.3.22
v2.3.23
v2.3.24
v2.3.25
v2.3.26
v2.3.27
v2.3.3
v2.3.4
v2.3.5
v2.3.6
v2.3.7
v2.3.8
v2.3.9
v2.4
v2.4-31940634
v2.4-beta
v2.4-beta-7
v2.4-beta-8
v2.4.1
v2.4.2
v2.4.3
v2.4.4
v2.4.5
v2.4.7
v2.4.8

v3.*

v3.0.0
v3.0.0-beta
v3.0.1
v3.0.2
v3.0.3
v3.0.4
v3.0.5
v3.0.6
v3.0.7
v3.1.0-beta
v3.1.1
v3.1.2
v3.1.3
v3.1.4
v3.2.0
v3.2.0-beta
v3.2.0-beta-2
v3.2.1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-28254.json"