GHSA-v4q9-437p-mhpg
Suggest an improvement- Source
- https://github.com/advisories/GHSA-v4q9-437p-mhpg
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/02/GHSA-v4q9-437p-mhpg/GHSA-v4q9-437p-mhpg.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-v4q9-437p-mhpg
- Published
- 2025-02-21T22:48:26Z
- Modified
- 2025-02-21T23:12:10.340478Z
- Severity
-
- 7.4 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Leantime allows Cross Site Scripting (XSS) and SQL Injection (SQLi)
- Details
-
Summary
A cross-site scripting (XSS) vulnerability has been identified in Leantime. The vulnerability allows an attacker to inject malicious scripts into certain fields, potentially leading to the execution of arbitrary code or unauthorized access to user-sensitive information. The code does not include any validation or sanitization of the $_GET["id"] parameter. As a result, it directly incorporates the user-supplied value into the source path without any checks.
- Database specific
{ "nvd_published_at": null, "cwe_ids": [ "CWE-79", "CWE-89" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2025-02-21T22:48:26Z" }- References
Affected packages
Packagist / leantime/leantime
Package
- Name
- leantime/leantime
- Purl
- pkg:composer/leantime/leantime
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed3.3
Affected versions
v2.*
v2.0
v2.0.1
v2.0.2
v2.0.3
v2.0.4
v2.0.5
v2.0.6
v2.0.7
v2.0.8
v2.0.9
v2.0.10
v2.0.11
v2.0.12
v2.0.13
v2.0.14
v2.0.15
v2.1-beta
v2.1-beta2
v2.1-beta3
v2.1-beta5
v2.1-beta6
v2.1
v2.1.1
v2.1.2
v2.1.3
v2.1.4
v2.1.5
v2.1.6
v2.1.7
v2.1.8
v2.1.9
v2.2.0
v2.2.1
v2.2.2
v2.2.3
v2.2.4
v2.2.5
v2.2.6
v2.2.7
v2.2.8
v2.2.9
v2.2.10
v2.2.11
v2.3.0-beta
v2.3.1-beta
v2.3.2
v2.3.3
v2.3.4
v2.3.5
v2.3.6
v2.3.7
v2.3.8
v2.3.9
v2.3.10
v2.3.11
v2.3.12
v2.3.13
v2.3.14
v2.3.15
v2.3.16
v2.3.17
v2.3.18
v2.3.19
v2.3.20
v2.3.21
v2.3.22
v2.3.23
v2.3.24
v2.3.25
v2.3.26
v2.3.27
2.*
2.4-beta
2.4-beta-7
2.4-beta-8
2.4
2.4.1
2.4.2
2.4.3
2.4.4
2.4.5
2.4.7
2.4.8
3.*
3.0.0-beta
3.0.0
3.0.1
3.0.2
3.0.3
3.0.4
3.0.5
3.0.6
3.0.7
3.1.0-beta
3.1.1
3.1.2
3.1.3
3.1.4
3.2.0-beta
3.2.0-beta-2
3.2.0
3.2.1