CVE-2024-27474

Leantime 3.0.6 is vulnerable to Cross Site Request Forgery (CSRF). This vulnerability allows malicious actors to perform unauthorized actions on behalf of authenticated users, specifically administrators.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://drive.proton.me/urls/67VER05Z84#f0fXnmp8o6Y9	Broken Link
https://github.com/Leantime/leantime/blob/264a7dbc2c9b18f574821bf27dd568a287ee8498/app/Domain/Users/Controllers/NewUser.php#L16	Product
https://github.com/dead1nfluence/Leantime-POC/blob/main/README.md	Exploit Third Party Advisory
https://drive.proton.me/urls/67VER05Z84#f0fXnmp8o6Y9	Broken Link
https://github.com/Leantime/leantime/blob/264a7dbc2c9b18f574821bf27dd568a287ee8498/app/Domain/Users/Controllers/NewUser.php#L16	Product
https://github.com/dead1nfluence/Leantime-POC/blob/main/README.md	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:leantime:leantime:3.0.6:*:*:*:*:*:*:*

History

No history.

Information

Published : 2024-04-10 15:16

Updated : 2025-04-08 15:22

NVD link : CVE-2024-27474

Mitre link : CVE-2024-27474

CVE.ORG link : CVE-2024-27474

JSON object : View

Products Affected

leantime

leantime

CWE

CWE-352

Cross-Site Request Forgery (CSRF)

{"id": "CVE-2024-27474", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2024-04-10T15:16:04.867", "references": [{"url": "https://drive.proton.me/urls/67VER05Z84#f0fXnmp8o6Y9", "tags": ["Broken Link"], "source": "cve@mitre.org"}, {"url": "https://github.com/Leantime/leantime/blob/264a7dbc2c9b18f574821bf27dd568a287ee8498/app/Domain/Users/Controllers/NewUser.php#L16", "tags": ["Product"], "source": "cve@mitre.org"}, {"url": "https://github.com/dead1nfluence/Leantime-POC/blob/main/README.md", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://drive.proton.me/urls/67VER05Z84#f0fXnmp8o6Y9", "tags": ["Broken Link"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/Leantime/leantime/blob/264a7dbc2c9b18f574821bf27dd568a287ee8498/app/Domain/Users/Controllers/NewUser.php#L16", "tags": ["Product"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/dead1nfluence/Leantime-POC/blob/main/README.md", "tags": ["Exploit", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-352"}]}], "descriptions": [{"lang": "en", "value": "Leantime 3.0.6 is vulnerable to Cross Site Request Forgery (CSRF). This vulnerability allows malicious actors to perform unauthorized actions on behalf of authenticated users, specifically administrators."}, {"lang": "es", "value": "Leantime 3.0.6 es vulnerable a Cross-Site Request Forgery (CSRF). Esta vulnerabilidad permite a actores malintencionados realizar acciones no autorizadas en nombre de usuarios autenticados, espec\u00edficamente administradores."}], "lastModified": "2025-04-08T15:22:10.327", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:leantime:leantime:3.0.6:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B780DD5A-3641-45B4-A961-0EB7F71ABD75"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}