Cross-site Scripting (XSS) - Stored in leantime/leantime


Reported on

Nov 24th 2021


I found Stored XSS in the title of the content.

Proof of Concept


1.First of all, build the environment with Docker and create an administrator user.

2.Next, create a new "To -DO" from "Project Dashboard" in the left menu. (/)

3.Next, create an account for the role of "Team Member" from "User Management" in the menu on the right side, and assign it to the project you created earlier. (/users/newUser/)

4.Then log in as a member user created in another secret tab.

5.Then select "Retrospectives" from the menu on the left and click Add More. (/retrospectives/showBoards)

6.Then, embed the following payload in "Description" and save it."/></script><script>alert(3)</script>

POST /retrospectives/retroDialog/ HTTP/1.1
Host: localhost

7.Finally, when you access "Retrospectives" as an administrator user, a pop-up screen will be displayed.

From the above, it can be confirmed that it is possible to execute Stored XSS embedded by a normal user on the administrator screen.


-Endpoint: POST /retrospectives/retroDialog/

-Parameters: description

-Test Payload: "/></script><script>alert(3)</script>


This vulnerability can steal a user's cookie.

And it may be possible to gain unauthorized access to the user's account via the stolen cookie.

We are processing your report and will contact the leantime team within 24 hours. a year ago
morioka12 modified the report
a year ago
We have contacted a member of the leantime team and are waiting to hear back a year ago
We have sent a follow up to the leantime team. We will try again in 7 days. a year ago
We have sent a second follow up to the leantime team. We will try again in 10 days. a year ago
We have sent a third and final follow up to the leantime team. This report is now considered stale. a year ago
Marcel Folaron validated this vulnerability a year ago
morioka12 has been awarded the disclosure bounty
The fix bounty is now up for grabs
Marcel Folaron marked this as fixed in 2.1.9 with commit 7cbdbf a year ago
Marcel Folaron has been awarded the fix bounty
This vulnerability will not receive a CVE
7 months ago


@maintainer , I would be glad if you could approve for CVE.

7 months ago


@admin can you pls assign a CVE for this?

Jamie Slome
7 months ago


We are happy to assign a CVE once we get the go-ahead from the maintainer. Feel free to ping them on the commit SHA comments section 👍

to join this conversation