Headline
GHSA-92xh-6x7v-4rmq: Leantime allows Cross-Site Request Forgery (CSRF)
CSRF
Summary
A cross-site request forgery vulnerability allows a remote actor to create an account with Owner privileges. By luring an Owner or Administrator into clicking a button on an attacker-controlled website, a request will be issued, generating an account with the attacker’s information and role of their choosing.
Impact
While the likelihood of a successful exploit is low, the impact would be high as the attacker could then gain complete control over the victim’s environment.
- GitHub Advisory Database
- GitHub Reviewed
- GHSA-92xh-6x7v-4rmq
Leantime allows Cross-Site Request Forgery (CSRF)
Moderate severity GitHub Reviewed Published Feb 18, 2025 in Leantime/leantime • Updated Feb 21, 2025
Package
composer leantime/leantime (Composer)
Affected versions
< 3.1.2
CSRF
Summary
A cross-site request forgery vulnerability allows a remote actor to create an account with Owner privileges. By luring an Owner or Administrator into clicking a button on an attacker-controlled website, a request will be issued, generating an account with the attacker’s information and role of their choosing.
Impact
While the likelihood of a successful exploit is low, the impact would be high as the attacker could then gain complete control over the victim’s environment.
References
- GHSA-92xh-6x7v-4rmq
Published to the GitHub Advisory Database
Feb 21, 2025
Last updated
Feb 21, 2025