GHSA-c39w-3pjx-qc7m

Source

https://github.com/advisories/GHSA-c39w-3pjx-qc7m

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/02/GHSA-c39w-3pjx-qc7m/GHSA-c39w-3pjx-qc7m.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-c39w-3pjx-qc7m

Published

2025-02-21T22:48:46Z

Modified

2025-02-21T23:12:28.248022Z

Severity

7.6 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

Leantime allows Stored Cross-Site Scripting (XSS)

Details

Description

Leantime allows stored cross-site scripting (XSS) in the API key name while generating the API key.

Impact

Any low privileged user like manager, or editor, can create an API key with XSS payload. When admin will visit the Company page, the XSS will automatically get triggerred leading to the unauthorized action performed from the ADMIN account. Like, removing any user, or adding someone else as high privilege, and many more.

Database specific

{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2025-02-21T22:48:46Z"
}

References

Affected packages

Packagist / leantime/leantime

Package

Name: leantime/leantime
Purl: pkg:composer/leantime/leantime

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.3

Affected versions

v2.*

v2.0

v2.0.1

v2.0.2

v2.0.3

v2.0.4

v2.0.5

v2.0.6

v2.0.7

v2.0.8

v2.0.9

v2.0.10

v2.0.11

v2.0.12

v2.0.13

v2.0.14

v2.0.15

v2.1-beta

v2.1-beta2

v2.1-beta3

v2.1-beta5

v2.1-beta6

v2.1

v2.1.1

v2.1.2

v2.1.3

v2.1.4

v2.1.5

v2.1.6

v2.1.7

v2.1.8

v2.1.9

v2.2.0

v2.2.1

v2.2.2

v2.2.3

v2.2.4

v2.2.5

v2.2.6

v2.2.7

v2.2.8

v2.2.9

v2.2.10

v2.2.11

v2.3.0-beta

v2.3.1-beta

v2.3.2

v2.3.3

v2.3.4

v2.3.5

v2.3.6

v2.3.7

v2.3.8

v2.3.9

v2.3.10

v2.3.11

v2.3.12

v2.3.13

v2.3.14

v2.3.15

v2.3.16

v2.3.17

v2.3.18

v2.3.19

v2.3.20

v2.3.21

v2.3.22

v2.3.23

v2.3.24

v2.3.25

v2.3.26

v2.3.27

2.*

2.4-beta

2.4-beta-7

2.4-beta-8

2.4

2.4.1

2.4.2

2.4.3

2.4.4

2.4.5

2.4.7

2.4.8

3.*

3.0.0-beta

3.0.0

3.0.1

3.0.2

3.0.3

3.0.4

3.0.5

3.0.6

3.0.7

3.1.0-beta

3.1.1

3.1.2

3.1.3

3.1.4

3.2.0-beta

3.2.0-beta-2

3.2.0

3.2.1