Описание
Duplicate Advisory: Leantime affected by Improper Neutralization of HTML Tags
Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-95j3-435g-vjcp. This link is maintained to preserve external references.
Original Description
Cross Site Scripting vulnerability in Leantime v3.2.1 and before allows an authenticated attacker to execute arbitrary code and obtain sensitive information via the first name field in processMentions().
Ссылки
- https://github.com/Leantime/leantime/security/advisories/GHSA-95j3-435g-vjcp
- https://nvd.nist.gov/vuln/detail/CVE-2025-28254
- https://github.com/Leantime/leantime/commit/ce1d2073e4601183e1bdd90f4b433d16aee46a50
- https://github.com/Leantime/leantime/blob/0e7ddbbe3d582f657a1dddfef7b3419ae588cbf7/app/Domain/Notifications/Services/Notifications.php#L128
Пакеты
Наименование
leantime/leantime
composer
Затронутые версииВерсия исправления
< 3.3
3.3
6.5 Medium
CVSS3
Дефекты
CWE-80
6.5 Medium
CVSS3
Дефекты
CWE-80