CVE-2024-27474

HIGH

Leantime 3.0.6 - CSRF

Title source: llm

Description

Leantime 3.0.6 is vulnerable to Cross Site Request Forgery (CSRF). This vulnerability allows malicious actors to perform unauthorized actions on behalf of authenticated users, specifically administrators.

Exploits (1)

nomisec WRITEUP

by dead1nfluence · poc

https://github.com/dead1nfluence/Leantime-POC

View Code ZIP pw:eip

References (3)

[Broken Link] https://drive.proton.me/urls/67VER05Z84#f0fXnmp8o6Y9

[Product] https://github.com/Leantime/leantime/blob/264a7dbc2c9b18f574821bf27dd568a287ee8498/app/Domain/Users/Controllers/NewUser.php#L16

[Exploit, Third Party Advisory] https://github.com/dead1nfluence/Leantime-POC/blob/main/README.md

Scores

CVSS v3 8.8

EPSS 0.0037

EPSS Percentile 58.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-352

Status published

Products (1)

leantime/leantime 3.0.6

Published Apr 10, 2024

Tracked Since Feb 18, 2026