Описание
Leantime allows Stored Cross-Site Scripting (XSS)
Description
Leantime allows stored cross-site scripting (XSS) in the API key name while generating the API key.
Impact
Any low privileged user like manager, or editor, can create an API key with XSS payload. When admin will visit the Company page, the XSS will automatically get triggerred leading to the unauthorized action performed from the ADMIN account. Like, removing any user, or adding someone else as high privilege, and many more.
Пакеты
Наименование
leantime/leantime
composer
Затронутые версииВерсия исправления
< 3.3
3.3
7.6 High
CVSS4
Дефекты
CWE-79
7.6 High
CVSS4
Дефекты
CWE-79