Cross-site Scripting (XSS) - Stored in leantime/leantime
Nov 24th 2021
I found Stored XSS in the title of the content.
Proof of Concept
1.First of all, build the environment with Docker and create an administrator user.
2.Next, create a new "To -DO" from "Project Dashboard" in the left menu. (
3.Next, create an account for the role of "Team Member" from "User Management" in the menu on the right side, and assign it to the project you created earlier. (
4.Then log in as a member user created in another secret tab.
5.Then select "Retrospectives" from the menu on the left and click Add More. (
6.Then, embed the following payload in "Description" and save it.
POST /retrospectives/retroDialog/ HTTP/1.1 Host: localhost ... canvasId=&box=well&itemId=&description=%22%2F%3E%3C%2Fscript%3E%3Cscript%3Ealert(3)%3C%2Fscript%3E%0D%0A&data=%22%2F%3E%3C%2Fscript%3E%3Cscript%3Ealert(10)%3C%2Fscript%3E%0D%0A&milestoneId=&changeItem=1
7.Finally, when you access "Retrospectives" as an administrator user, a pop-up screen will be displayed.
From the above, it can be confirmed that it is possible to execute Stored XSS embedded by a normal user on the administrator screen.
This vulnerability can steal a user's cookie.
And it may be possible to gain unauthorized access to the user's account via the stolen cookie.