Headline
GHSA-v4q9-437p-mhpg: Leantime allows Cross Site Scripting (XSS) and SQL Injection (SQLi)
Summary
A cross-site scripting (XSS) vulnerability has been identified in Leantime. The vulnerability allows an attacker to inject malicious scripts into certain fields, potentially leading to the execution of arbitrary code or unauthorized access to user-sensitive information. The code does not include any validation or sanitization of the $_GET[“id”] parameter. As a result, it directly incorporates the user-supplied value into the source path without any checks.
- GitHub Advisory Database
- GitHub Reviewed
- GHSA-v4q9-437p-mhpg
Leantime allows Cross Site Scripting (XSS) and SQL Injection (SQLi)
High severity GitHub Reviewed Published Feb 18, 2025 in Leantime/leantime • Updated Feb 21, 2025
Package
composer leantime/leantime (Composer)
Summary
A cross-site scripting (XSS) vulnerability has been identified in Leantime. The vulnerability allows an attacker to inject malicious scripts into certain fields, potentially leading to the execution of arbitrary code or unauthorized access to user-sensitive information. The code does not include any validation or sanitization of the $_GET[“id”] parameter. As a result, it directly incorporates the user-supplied value into the source path without any checks.
References
- GHSA-v4q9-437p-mhpg
Published to the GitHub Advisory Database
Feb 21, 2025
Last updated
Feb 21, 2025