GHSA-95j3-435g-vjcp
First published: Fri Feb 21 2025(Updated: )
### Summary HTML can be arbitrarily injected into emails from Leantime due to improper neutralization of HTML tags in users' first names. This effectively allows for the creation of phishing emails from a Leantime instance's email address.
| Affected Software | Affected Version | How to fix |
|---|---|---|
| composer/leantime/leantime | <3.3 | 3.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of GHSA-95j3-435g-vjcp?
The severity of GHSA-95j3-435g-vjcp is considered high due to the potential for phishing attacks.
How do I fix GHSA-95j3-435g-vjcp?
To fix GHSA-95j3-435g-vjcp, upgrade to Leantime version 3.3 or later, which addresses the HTML injection vulnerability.
What impact does GHSA-95j3-435g-vjcp have on users?
GHSA-95j3-435g-vjcp allows attackers to craft phishing emails using legitimate Leantime email addresses, potentially misleading users.
Which versions of Leantime are affected by GHSA-95j3-435g-vjcp?
Leantime versions prior to 3.3 are affected by GHSA-95j3-435g-vjcp due to improper handling of user-supplied input.
Who is at risk from GHSA-95j3-435g-vjcp vulnerability?
Users of Leantime who receive emails from the application are at risk of falling victim to phishing schemes enabled by GHSA-95j3-435g-vjcp.
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-95j3-435g-vjcp
- agent/software-canonical-lookup
- agent/references
- agent/last-modified-date
- agent/weakness
- agent/severity
- agent/source
- agent/softwarecombine
- agent/first-publish-date
- agent/description
- agent/type
- agent/tags
- agent/event
- package-manager/composer