GHSA-95j3-435g-vjcp

Опубликовано: 21 фев. 2025

Источник: github

Github: Прошло ревью

CVSS3: 6.5

Описание

Leantime affected by Improper Neutralization of HTML Tags

Summary

HTML can be arbitrarily injected into emails from Leantime due to improper neutralization of HTML tags in users' first names. This effectively allows for the creation of phishing emails from a Leantime instance's email address.

Ссылки

Пакеты

Наименование

leantime/leantime

composer

Затронутые версииВерсия исправления

< 3.3

3.3

EPSS

Процентиль: 43%

0.00211

Низкий

6.5 Medium

CVSS3

CVE ID

CVE-2025-28254

Дефекты

CWE-79

CWE-80

Связанные уязвимости

CVE-2025-28254

CVSS3: 5.4

nvd

11 месяцев назад

Cross Site Scripting vulnerability in Leantime v3.2.1 and before allows an authenticated attacker to execute arbitrary code and obtain sensitive information via the first name field in processMentions().

EPSS

Процентиль: 43%

0.00211

Низкий

6.5 Medium

CVSS3

CVE ID

CVE-2025-28254

Дефекты

CWE-79

CWE-80