GHSA-3hfj-qcvj-4hx8: 
PHP vulnerability analysis and mitigation

A security vulnerability was identified in Leantime versions prior to 3.3, tracked as GHSA-3hfj-qcvj-4hx8. The vulnerability stems from a missing authorization check for the 'Host' parameter in the user profile viewing functionality, which was discovered and disclosed on February 18, 2025. This security issue affects the Leantime project's user profile system (GitHub Advisory).

The vulnerability is classified as CWE-862 (Missing Authorization Check) with a CVSS v4.0 score of 2.3 (Low severity). The technical assessment shows the following characteristics: Network-based attack vector, low attack complexity, present attack requirements, low privileges required, and no user interaction needed. The vulnerability specifically relates to the Host parameter's authorization check implementation in the user profile viewing functionality (GitHub Advisory).

The exploitation of this vulnerability allows an attacker to view profile information of other users by manipulating the 'Host' parameter. However, the impact is limited to viewing profile information only, with no ability to modify data or access other system functionalities (GitHub Advisory).

The vulnerability has been patched in Leantime version 3.3. Users are advised to upgrade to this version or later to address the security issue (GitHub Advisory).