dead1nfluence/Leantime-POC

dead1nfluence/Leantime-POC

Unavailable

This project is no longer available (or publicly accessible) from GitHub

Releases0

CVE-2024-27474, CVE-2024-27476, CVE-2024-27477

Log in to subscribe

CVE History

CVE	Published	CVSS v3	CVSS v2
CVE-2024-27474 ↗	Apr 10, 2024Wednesday, 10 April 2024, 15:16	8.8 HIGH	—
Leantime 3.0.6 is vulnerable to Cross Site Request Forgery (CSRF). This vulnerability allows malicious actors to perform unauthorized actions on behalf of authenticated users, specifically administrators.
CVE-2024-27476 ↗	Apr 10, 2024Wednesday, 10 April 2024, 15:16	4.7 MEDIUM	—
Leantime 3.0.6 is vulnerable to HTML Injection via /dashboard/show#/tickets/newTicket.
CVE-2024-27477 ↗	Apr 10, 2024Wednesday, 10 April 2024, 15:16	6.1 MEDIUM	—
In Leantime 3.0.6, a Cross-Site Scripting vulnerability exists within the ticket creation and modification functionality, allowing attackers to inject malicious JavaScript code into the title field of tickets (also known as to-dos). This stored XSS vulnerability can be exploited to perform Server-Side Request Forgery (SSRF) attacks.