Arbitrary Code Execution via Cross-Site Scripting (XSS) in Leantime v3.0.6
CVE-2024-27705

7.6HIGH

Key Information:

Vendor

Leantime

Status
Vendor
CVE Published:
3 April 2024

What is CVE-2024-27705?

A security vulnerability exists within Leantime v3.0.6 that permits Cross Site Scripting (XSS) attacks. This vulnerability arises when an attacker uploads a specially crafted PDF file to the files/browse endpoint, enabling the execution of arbitrary code. Proper sanitization and validation of file uploads are essential to mitigate such risks, as failure to do so can lead to unauthorized actions affecting both the server and users accessing the application.

References

CVSS V3.1

Score:
7.6
Severity:
HIGH
Confidentiality:
Low
Integrity:
High
Availability:
Low
Attack Vector:
Adjacent Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

.