Cross-site Scripting (XSS) - Stored in leantime/leantime

Valid

Reported on

Sep 2nd 2021

✍️ Description

A malicious actor is able to add new Client with a malicious payload, and upon opening the research menu, the XSS payload is being executed.

🕵️‍♂️ Proof of Concept

1; Log in with a proper roled user
2; Add a new client to the system at upper right corner at /clients/showAll/ URI with the + New Client button
3; Insert the following payload in the name field: <script>alert(document.cookie)</script>
4; Go to the function, where a new user can be added at at /users/newUser/ URI, and the xss payload is being executed

💥 Impact

With such opprotunity, the malicious actor is able to gather session identifiers from any users. Upon receiving this information, the Confidentiality, Integrity is compromised of the target's account.

We have contacted a member of the leantime team and are waiting to hear back 2 years ago

Marcel Folaron validated this vulnerability 2 years ago

TheLabda has been awarded the disclosure bounty

The fix bounty is now up for grabs

Marcel Folaron marked this as fixed in 2.1.9 with commit c558c6 a year ago

Marcel Folaron has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation