Lucene search

[email protected]CVE-2023-33961

HistoryMay 30, 2023 - 10:15 p.m.

CVE-2023-33961

2023-05-3022:15:10

CWE-79

[email protected]

web.nvd.nist.gov

leantime

project management

cve-2023-33961

security vulnerability

javascript injection

nvd

8.9 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L

5.5 Medium

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

17.5%

JSON

Leantime is a lean open source project management system. Starting in version 2.3.21, an authenticated user with commenting privileges can inject malicious Javascript into a comment. Once the malicious comment is loaded in the browser by a user, the malicious Javascript code executes. As of time of publication, a patch does not exist.

Affected configurations

Vulners

NVD

Node

leantimeleantimeMatch2.3.21

VendorProductVersionCPE
leantimeleantime2.3.21cpe:2.3:a:leantime:leantime:2.3.21:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
leantime	leantime	2.3.21	cpe:2.3:a:leantime:leantime:2.3.21:::::::*

CNA Affected

[
  {
    "vendor": "Leantime",
    "product": "leantime",
    "versions": [
      {
        "version": "=> 2.3.21",
        "status": "affected"
      }
    ]
  }
]

References

github.com/Leantime/leantime/security/advisories/GHSA-359m-fp6q-65r7

8.9 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L

5.5 Medium

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

17.5%

JSON

Related for CVE-2023-33961

prion1 nvd1 osv1 cvelist1