GHSA-c39w-3pjx-qc7m: 
PHP vulnerability analysis and mitigation

A stored Cross-Site Scripting (XSS) vulnerability was discovered in Leantime versions prior to 3.3, identified as GHSA-c39w-3pjx-qc7m. The vulnerability exists in the API key name functionality while generating API keys. This security issue was published on February 18, 2025, and affects the Leantime/leantime composer package (GitHub Advisory).

The vulnerability is classified as High severity with a CVSS score of 7.6. According to the CVSS v4 base metrics, the vulnerability has a Network attack vector, Low attack complexity, Present attack requirements, Low privileges required, and requires No user interaction. The vulnerability is tracked as CWE-79, which is a common weakness enumeration for Cross-Site Scripting (GitHub Advisory).

The vulnerability allows any low-privileged user, such as a manager or editor, to create an API key containing an XSS payload. When an administrator visits the Company page, the XSS payload automatically triggers, leading to unauthorized actions being performed with administrative privileges. These actions could include removing users or elevating privilege levels of other users (GitHub Advisory).

The vulnerability has been patched in Leantime version 3.3. Users are advised to upgrade to this version or later to mitigate the security risk (GitHub Advisory).