Reflected XSS in type url parameter in leantime/leantime

Valid

Reported on

Jun 28th 2022

Description

The application has a reflected xss vulnerability in the url parameter type.

Proof of Concept

// PoC.js
var payload = "><script>alert(document.cookie)</script>

Impact

If an attacker can control a script that is executed in the victim's browser, then they can typically fully compromise that user. Amongst other things, the attacker can: Perform any action within the application that the user can perform.

References

https://localhost/leancanvas/editCanvasItem?type="><script>alert(document.cookie)</script>customersegment

We are processing your report and will contact the leantime team within 24 hours. a year ago

Elijah Rodgers

commented a year ago

Researcher

I have video PoC if necessary. I submitted this vulnerability via email about a week ago as well.

We have contacted a member of the leantime team and are waiting to hear back a year ago

We have sent a follow up to the leantime team. We will try again in 7 days. a year ago

We have sent a second follow up to the leantime team. We will try again in 10 days. a year ago

Marcel Folaron validated this vulnerability a year ago

Elijah Rodgers has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Marcel Folaron marked this as fixed in 2.2.0 with commit 00fed6 a year ago

Marcel Folaron has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation