Cross-site Scripting (XSS) - Stored in leantime/leantime
Sep 2nd 2021
A malicious actor is able to add "new Retrospective" with a malicious payload, and upon opening the research menu, the XSS payload is being executed.
🕵️♂️ Proof of Concept
- 1; Log in with a proper roled user
- 2; Add a new board to the system at Retrospective menu on the left
- 3; Insert the following payload in the name field: <script>alert(document.cookie)</script>
- 4; Open the Retrospective menu, and the xss payload is being executed.
With such opprotunity, the malicious actor is able to gather session identifiers from any users. Upon receiving this information, the Confidentiality, Integrity is compromised of the target's account.
Marcel Folaron validated this vulnerability 2 years ago
TheLabda has been awarded the disclosure bounty
The fix bounty is now up for grabs
Marcel Folaron marked this as fixed in 2.1.9 with commit c204bc a year ago
This vulnerability will not receive a CVE
to join this conversation