Advisory Database
  • Advisories
  • Dependency Scanning
  1. composer
  2. ›
  3. leantime/leantime
  4. ›
  5. GHSA-v4q9-437p-mhpg

GHSA-v4q9-437p-mhpg: Leantime allows Cross Site Scripting (XSS) and SQL Injection (SQLi)

February 21, 2025

A cross-site scripting (XSS) vulnerability has been identified in Leantime. The vulnerability allows an attacker to inject malicious scripts into certain fields, potentially leading to the execution of arbitrary code or unauthorized access to user-sensitive information. The code does not include any validation or sanitization of the $_GET[“id”] parameter. As a result, it directly incorporates the user-supplied value into the source path without any checks.

References

  • github.com/Leantime/leantime
  • github.com/Leantime/leantime/security/advisories/GHSA-v4q9-437p-mhpg
  • github.com/advisories/GHSA-v4q9-437p-mhpg

Code Behaviors & Features

Detect and mitigate GHSA-v4q9-437p-mhpg with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →

Affected versions

All versions before 3.3

Fixed versions

  • 3.3

Solution

Upgrade to version 3.3 or above.

Weakness

  • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Source file

packagist/leantime/leantime/GHSA-v4q9-437p-mhpg.yml

Spotted a mistake? Edit the file on GitLab.

  • Site Repo
  • About GitLab
  • Terms
  • Privacy Statement
  • Contact

Page generated Wed, 14 May 2025 12:15:32 +0000.