CVE-2025-28254

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions Leantime versions 3.2.1 and earlier

Description The issue allows an authenticated attacker to execute arbitrary code and obtain sensitive information via the first name field in the processMentions() function. This is a Cross Site Scripting vulnerability.

Recommendations For Leantime versions 3.2.1 and earlier, as a temporary workaround, consider restricting access to the processMentions() function until a patch is available. Avoid using the first name field in the affected functionality to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-80CWE-79

Related Identifiers

CVE-2025-28254

GHSA-95J3-435G-VJCP

GHSA-JF6P-4HGV-V6QH

Affected Products

Leantime

CVE-2025-28254

Weakness Enumeration

Related Identifiers

Affected Products

References · 14