Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
leantime leantime vulnerabilities and exploits
(subscribe to this query)
6.5
CVSSv3
CVE-2023-45826
Leantime is an open source project management system. A 'userId' variable in `app/domain/files/repositories/class.files.php` is not parameterized. An authenticated attacker can send a carefully crafted POST request to `/api/jsonrpc` to exploit an SQL injection vulnerabi...
Leantime Leantime 2.4
Leantime Leantime
5.4
CVSSv3
CVE-2023-33961
Leantime is a lean open source project management system. Starting in version 2.3.21, an authenticated user with commenting privileges can inject malicious Javascript into a comment. Once the malicious comment is loaded in the browser by a user, the malicious Javascript code exec...
Leantime Leantime
8.8
CVSSv3
CVE-2020-5292
Leantime prior to 2.0.15 and 2.1-beta3 has a SQL Injection vulnerability. The impact is high. Malicious users/attackers can execute arbitrary SQL queries negatively affecting the confidentiality, integrity, and availability of the site. Attackers can exfiltrate data like the user...
Leantime Leantime
NA
CVE-2024-27476
Leantime 3.0.6 is vulnerable to HTML Injection via /dashboard/show#/tickets/newTicket.
1 Github repository
NA
CVE-2024-27703
Cross Site Scripting vulnerability in Leantime 3.0.6 allows a remote malicious user to execute arbitrary code via the to-do title parameter.
NA
CVE-2024-27705
Cross Site Scripting vulnerability in Leantime v3.0.6 allows malicious users to execute arbitrary code via upload of crafted PDF file to the files/browse endpoint.
NA
CVE-2024-27474
Leantime 3.0.6 is vulnerable to Cross Site Request Forgery (CSRF). This vulnerability allows malicious actors to perform unauthorized actions on behalf of authenticated users, specifically administrators.
1 Github repository
NA
CVE-2024-27477
In Leantime 3.0.6, a Cross-Site Scripting vulnerability exists within the ticket creation and modification functionality, allowing malicious users to inject malicious JavaScript code into the title field of tickets (also known as to-dos). This stored XSS vulnerability can be expl...
1 Github repository
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
camera
bypass
CVE-2024-3592
CVE-2024-37383
CVE-2024-24919
CVE-2024-27822
CVE-2024-36788
CVE-2024-36789
man-in-the-middle
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started