GHSA-95j3-435g-vjcp: Leantime affected by Improper Neutralization of HTML Tags

February 21, 2025

HTML can be arbitrarily injected into emails from Leantime due to improper neutralization of HTML tags in users’ first names. This effectively allows for the creation of phishing emails from a Leantime instance’s email address.

References

github.com/Leantime/leantime
github.com/Leantime/leantime/commit/ce1d2073e4601183e1bdd90f4b433d16aee46a50
github.com/Leantime/leantime/security/advisories/GHSA-95j3-435g-vjcp
github.com/advisories/GHSA-95j3-435g-vjcp

Detect and mitigate GHSA-95j3-435g-vjcp with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →