Skip to main content

Leantime CVE-2024-27703

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2024-03-13 cve@mitre.org
5.4
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Primary rating from Vendor (mitre) · only source for this CVE.

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
Mar 13, 2024 - 22:15 cve.org
MEDIUM 5.4

DescriptionCVE.org

Cross Site Scripting vulnerability in Leantime 3.0.6 allows a remote attacker to execute arbitrary code via the to-do title parameter.

AnalysisAI

Cross Site Scripting vulnerability in Leantime 3.0.6 allows a remote attacker to execute arbitrary code via the to-do title parameter. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. Cross Site Scripting vulnerability in Leantime 3.0.6 allows a remote attacker to execute arbitrary code via the to-do title parameter. Affected products include: Leantime.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

CVE-2024-27474 HIGH POC
8.8 Apr 10

Leantime 3.0.6 is vulnerable to Cross Site Request Forgery (CSRF). Rated high severity (CVSS 8.8), this vulnerability is

CVE-2024-27705 HIGH POC
7.6 Apr 03

Cross Site Scripting vulnerability in Leantime v3.0.6 allows attackers to execute arbitrary code via upload of crafted P

CVE-2023-45826 MEDIUM POC
6.5 Oct 19

Leantime is an open source project management system. Rated medium severity (CVSS 6.5), this vulnerability is remotely e

CVE-2024-27477 MEDIUM POC
6.1 Apr 10

In Leantime 3.0.6, a Cross-Site Scripting vulnerability exists within the ticket creation and modification functionality

CVE-2020-5292 HIGH
8.8 Mar 31

Leantime before versions 2.0.15 and 2.1-beta3 has a SQL Injection vulnerability. Rated high severity (CVSS 8.8), this vu

CVE-2024-27476 MEDIUM POC
4.7 Apr 10

Leantime 3.0.6 is vulnerable to HTML Injection via /dashboard/show#/tickets/newTicket. Rated medium severity (CVSS 4.7),

CVE-2026-59712 HIGH
8.6 Jul 06

Credential disclosure in Leantime's JSON-RPC API allows an authenticated user to read any account's full credential row

CVE-2026-59713 HIGH
8.6 Jul 06

Login CSRF (session fixation) in Leantime's OpenID Connect authentication flow allows an attacker to authenticate a vict

CVE-2026-15509 LOW POC
2.1 Jul 12

Privilege escalation in Leantime up to 3.8.0 allows authenticated low-privileged users to elevate their role to owner by

CVE-2026-15510 LOW POC
2.1 Jul 12

Broken access control in Leantime's API component (versions up to 3.8.0) allows authenticated low-privileged users to in

CVE-2025-28254 MEDIUM
5.4 Mar 28

Cross Site Scripting vulnerability in Leantime v3.2.1 and before allows an authenticated attacker to execute arbitrary c

CVE-2023-33961 MEDIUM
5.4 May 30

Leantime is a lean open source project management system. Rated medium severity (CVSS 5.4), this vulnerability is remote

Share

CVE-2024-27703 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy