GHSA-52xf-h226-pfgx
Suggest an improvement- Source
- https://github.com/advisories/GHSA-52xf-h226-pfgx
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/02/GHSA-52xf-h226-pfgx/GHSA-52xf-h226-pfgx.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-52xf-h226-pfgx
- Published
- 2025-02-21T22:15:26Z
- Modified
- 2025-02-21T22:28:01.308899Z
- Severity
-
- 5.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Leantime allows Refelected Cross-Site Scripting (XSS)
- Details
-
Summary
The vulnerability in Leantime's "overdue" section allows attackers to upload malicious image files containing XSS payloads. When other users view these files, the scripts execute, enabling attackers to steal sensitive information or perform unauthorized actions. Improving input validation and output encoding in the file upload process can prevent this exploit. Accessing and enhancing the relevant source code modules is crucial for addressing this security flaw effectively.
Impact
This XSS vulnerability allows attackers to inject malicious scripts into the Leantime application, compromising user data, session tokens, and potentially executing unauthorized actions on behalf of users. Exploitation could lead to account takeover, data theft, and unauthorized access to sensitive information, posing a significant risk to user privacy, data integrity, and system security.
- Database specific
{ "nvd_published_at": null, "cwe_ids": [ "CWE-79" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2025-02-21T22:15:26Z" }- References
Affected packages
Packagist / leantime/leantime
Package
- Name
- leantime/leantime
- Purl
- pkg:composer/leantime/leantime
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed3.3