GHSA-mg4c-884j-pcq9: 
PHP vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in Leantime versions prior to 3.3. The vulnerability, identified as GHSA-mg4c-884j-pcq9, was published on February 18, 2025, and involves SVG file uploads that could lead to stored XSS and open redirection attacks. The issue affects the Leantime project management software package (leantime/leantime) (GitHub Advisory).

The vulnerability has been assessed with a CVSS v4.0 score of 5.1 (Moderate severity) with the following vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N. The attack vector is network-based with low attack complexity, requiring low privileges and passive user interaction. The vulnerability is associated with CWE-79, which relates to improper neutralization of input during web page generation (GitHub Advisory).

The vulnerability impacts both confidentiality and integrity at a low level, with no impact on availability. The vulnerability allows attackers to potentially execute stored XSS attacks and perform open redirections through SVG file uploads (GitHub Advisory).

The vulnerability has been patched in Leantime version 3.3. The fix involves removing SVG file support from the allowed image file types, as evidenced by the removal of the 'svg' => 'image/svg+xml' mapping and its corresponding file extension check (Leantime Commit).