Cross-site Scripting (XSS) - Stored in leantime/leantime

Valid

Reported on

Sep 2nd 2021


✍️ Description

A malicious actor is able to add New Project with a malicious payload, and upon opening the research menu, the XSS payload is being executed.

🕵️‍♂️ Proof of Concept

1; Log in with a proper roled user 2; Add a new Project to the system at the /projects/showAll/ URI with the + New Project button 3; Insert the following payload in the name field: <script>alert(document.cookie)</script> 4; Open the List of the projects at the /projects/showAll URI, and the xss payload is being executed.

💥 Impact

With such opprotunity, the malicious actor is able to gather session identifiers from any users. Upon receiving this information, the Confidentiality, Integrity is compromised of the target's account.

We have contacted a member of the leantime team and are waiting to hear back 9 months ago
Marcel Folaron validated this vulnerability 7 months ago
TheLabda has been awarded the disclosure bounty
The fix bounty is now up for grabs
Marcel Folaron confirmed that a fix has been merged on c204bc a month ago
Marcel Folaron has been awarded the fix bounty
class.projects.php#L535 has been validated
to join this conversation