GHSA-h6w8-27ph-c385: 
PHP vulnerability analysis and mitigation

A high-severity vulnerability was discovered in Leantime versions prior to 3.3, identified as GHSA-h6w8-27ph-c385. The vulnerability relates to improper cache control that allows attackers to view sensitive information even after logging out of their accounts. The issue was identified during routine security testing and was published on February 18, 2025 (GitHub Advisory).

The vulnerability has been assigned a CVSS v4.0 score of 5.7 (Moderate severity) with the following vector string: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N. The vulnerability is classified under CWE-522 (Insufficiently Protected Credentials). The attack vector is network-based, with low attack complexity, requiring low privileges and active user interaction (GitHub Advisory).

The vulnerability poses a significant risk to user privacy and data security, primarily affecting the confidentiality of information. When successfully exploited, it allows unauthorized access to sensitive information even after user session termination. The vulnerability has high confidentiality impact, though integrity and availability remain unaffected (GitHub Advisory).

The vulnerability has been patched in Leantime version 3.3. Users are strongly advised to upgrade to this version to protect against unauthorized access to sensitive information. Urgent action is recommended to mitigate this vulnerability and protect user data from unauthorized access (GitHub Advisory).