Lucene search

GitHub_MCVELIST:CVE-2023-33961

HistoryMay 30, 2023 - 9:34 p.m.

CVE-2023-33961 Leantime Stored Cross-site Scripting Vulnerability

2023-05-3021:34:00

CWE-79

GitHub_M

www.cve.org

cve-2023-33961

leantime

stored xss

8.9 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L

8.9 High

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

17.7%

JSON

Leantime is a lean open source project management system. Starting in version 2.3.21, an authenticated user with commenting privileges can inject malicious Javascript into a comment. Once the malicious comment is loaded in the browser by a user, the malicious Javascript code executes. As of time of publication, a patch does not exist.

CNA Affected

[
  {
    "vendor": "Leantime",
    "product": "leantime",
    "versions": [
      {
        "version": "=> 2.3.21",
        "status": "affected"
      }
    ]
  }
]

References

github.com/Leantime/leantime/security/advisories/GHSA-359m-fp6q-65r7

8.9 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L

8.9 High

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

17.7%

JSON

Related for CVELIST:CVE-2023-33961