Name of the Vulnerable Software and Affected Versions Leantime (affected versions not specified)

Description The issue allows stored cross-site scripting (XSS) in the API key name while generating the API key. Any low-privileged user, such as a manager or editor, can create an API key with an XSS payload. When an admin visits the Company page, the XSS will automatically get triggered, leading to unauthorized actions being performed from the admin account, such as removing any user or adding someone else as a high-privilege user.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.