Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') Affecting leantime/leantime package, versions <3.1.2

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk IDSNYK-PHP-LEANTIMELEANTIME-8744642
published23 Feb 2025
disclosed21 Feb 2025
creditanim-29

Report a new vulnerability Found a mistake?

Introduced: 21 Feb 2025

NewCWE-74 (opens in a new tab)

How to fix?

Upgrade leantime/leantime to version 3.1.2 or higher.

Overview

Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') via the user details viewing functionality. An attacker can manipulate the host header in HTTP requests to gain unauthorized access to view details of other users.

References

GitHub Advisory

CVSS Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
None
Privileges Required (PR)
Low
User Interaction (UI)
None

Confidentiality (VC)
High
Integrity (VI)
High
Availability (VA)
High

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None