Описание
Leantime has Missing Authorization Check for Host Parameter
Finding Description
Application has functionality for a user to view profile information. It does not have an implemented authorization check for "Host" parameter which allows a user to view profile information of another user by replacing "Host" parameter.
Impact
By exploiting this vulnerability an attacker can able to view profile information (but not anything else or change anything)
Пакеты
Наименование
leantime/leantime
composer
Затронутые версииВерсия исправления
< 3.3
3.3
2.3 Low
CVSS4
Дефекты
CWE-862
2.3 Low
CVSS4
Дефекты
CWE-862