Leantime
by Leantime
Source repositories
CVEs (9)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-33961 | Hig | 0.58 | 8.9 | 0.00 | May 30, 2023 | Leantime is a lean open source project management system. Starting in version 2.3.21, an authenticated user with commenting privileges can inject malicious Javascript into a comment. Once the malicious comment is loaded in the browser by a user, the malicious Javascript code… | ||
| CVE-2024-27474 | Hig | 0.57 | 8.8 | 0.01 | Apr 10, 2024 | Leantime 3.0.6 is vulnerable to Cross Site Request Forgery (CSRF). This vulnerability allows malicious actors to perform unauthorized actions on behalf of authenticated users, specifically administrators. | ||
| CVE-2024-27705 | Hig | 0.49 | 7.6 | 0.01 | Apr 3, 2024 | Cross Site Scripting vulnerability in Leantime v3.0.6 allows attackers to execute arbitrary code via upload of crafted PDF file to the files/browse endpoint. | ||
| CVE-2024-27477 | Med | 0.40 | 6.1 | 0.01 | Apr 10, 2024 | In Leantime 3.0.6, a Cross-Site Scripting vulnerability exists within the ticket creation and modification functionality, allowing attackers to inject malicious JavaScript code into the title field of tickets (also known as to-dos). This stored XSS vulnerability can be exploited… | ||
| CVE-2024-27703 | Med | 0.35 | 5.4 | 0.01 | Mar 13, 2024 | Cross Site Scripting vulnerability in Leantime 3.0.6 allows a remote attacker to execute arbitrary code via the to-do title parameter. | ||
| CVE-2024-27476 | Med | 0.31 | 4.7 | 0.01 | Apr 10, 2024 | Leantime 3.0.6 is vulnerable to HTML Injection via /dashboard/show#/tickets/newTicket. | ||
| CVE-2025-28254 | Med | 0.28 | 5.4 | 0.00 | Mar 28, 2025 | Cross Site Scripting vulnerability in Leantime v3.2.1 and before allows an authenticated attacker to execute arbitrary code and obtain sensitive information via the first name field in processMentions(). | ||
| CVE-2023-45826 | Med | 0.00 | 6.5 | 0.02 | Oct 19, 2023 | Leantime is an open source project management system. A 'userId' variable in `app/domain/files/repositories/class.files.php` is not parameterized. An authenticated attacker can send a carefully crafted POST request to `/api/jsonrpc` to exploit an SQL injection vulnerability.… | ||
| CVE-2020-5292 | Hig | 0.00 | 8.7 | 0.01 | Mar 31, 2020 | Leantime before versions 2.0.15 and 2.1-beta3 has a SQL Injection vulnerability. The impact is high. Malicious users/attackers can execute arbitrary SQL queries negatively affecting the confidentiality, integrity, and availability of the site. Attackers can exfiltrate data like… |
- risk 0.58cvss 8.9epss 0.00
Leantime is a lean open source project management system. Starting in version 2.3.21, an authenticated user with commenting privileges can inject malicious Javascript into a comment. Once the malicious comment is loaded in the browser by a user, the malicious Javascript code…
- risk 0.57cvss 8.8epss 0.01
Leantime 3.0.6 is vulnerable to Cross Site Request Forgery (CSRF). This vulnerability allows malicious actors to perform unauthorized actions on behalf of authenticated users, specifically administrators.
- risk 0.49cvss 7.6epss 0.01
Cross Site Scripting vulnerability in Leantime v3.0.6 allows attackers to execute arbitrary code via upload of crafted PDF file to the files/browse endpoint.
- risk 0.40cvss 6.1epss 0.01
In Leantime 3.0.6, a Cross-Site Scripting vulnerability exists within the ticket creation and modification functionality, allowing attackers to inject malicious JavaScript code into the title field of tickets (also known as to-dos). This stored XSS vulnerability can be exploited…
- risk 0.35cvss 5.4epss 0.01
Cross Site Scripting vulnerability in Leantime 3.0.6 allows a remote attacker to execute arbitrary code via the to-do title parameter.
- risk 0.31cvss 4.7epss 0.01
Leantime 3.0.6 is vulnerable to HTML Injection via /dashboard/show#/tickets/newTicket.
- risk 0.28cvss 5.4epss 0.00
Cross Site Scripting vulnerability in Leantime v3.2.1 and before allows an authenticated attacker to execute arbitrary code and obtain sensitive information via the first name field in processMentions().
- risk 0.00cvss 6.5epss 0.02
Leantime is an open source project management system. A 'userId' variable in `app/domain/files/repositories/class.files.php` is not parameterized. An authenticated attacker can send a carefully crafted POST request to `/api/jsonrpc` to exploit an SQL injection vulnerability.…
- risk 0.00cvss 8.7epss 0.01
Leantime before versions 2.0.15 and 2.1-beta3 has a SQL Injection vulnerability. The impact is high. Malicious users/attackers can execute arbitrary SQL queries negatively affecting the confidentiality, integrity, and availability of the site. Attackers can exfiltrate data like…