Headline

GHSA-3hfj-qcvj-4hx8: Leantime has Missing Authorization Check for Host Parameter

Finding Description

Application has functionality for a user to view profile information. It does not have an implemented authorization check for “Host” parameter which allows a user to view profile information of another user by replacing “Host” parameter.

Impact

By exploiting this vulnerability an attacker can able to view profile information (but not anything else or change anything)

16 hours ago

ghsa

Open in Source

#vulnerability #git #auth

GitHub Advisory Database
GitHub Reviewed
GHSA-3hfj-qcvj-4hx8

Leantime has Missing Authorization Check for Host Parameter

Low severity GitHub Reviewed Published Feb 18, 2025 in Leantime/leantime • Updated Feb 21, 2025

Package

composer leantime/leantime (Composer)

Finding Description

Impact

By exploiting this vulnerability an attacker can able to view profile information (but not anything else or change anything)

References

GHSA-3hfj-qcvj-4hx8

Published to the GitHub Advisory Database

Feb 21, 2025

Last updated

Feb 21, 2025

ghsa: Latest News

GHSA-f679-254h-qhvj: Leantime allows Cross-Site Scripting (XSS)

16 hours ago

ghsa

GHSA-95j3-435g-vjcp: Leantime affected by Improper Neutralization of HTML Tags

16 hours ago

ghsa

GHSA-3hfj-qcvj-4hx8: Leantime has Missing Authorization Check for Host Parameter

16 hours ago

ghsa

GHSA-38h4-fx85-qcx7: Exiv2 allows Use After Free

16 hours ago

ghsa

GHSA-c39w-3pjx-qc7m: Leantime allows Stored Cross-Site Scripting (XSS)

18 hours ago

ghsa