CVE-2023-33961 HIGH

CVE-2023-33961: Leantime Stored Cross-site Scripting Vulnerability

Vendor Leantime

Product leantime

Weakness CWE-79 · XSS

Published May 30, 2023

Last update January 10, 2025

View on NVD All CVEs

CVSS base score

8.9/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction Required

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L

What the vulnerability does

01Description

Leantime is a lean open source project management system. Starting in version 2.3.21, an authenticated user with commenting privileges can inject malicious Javascript into a comment. Once the malicious comment is loaded in the browser by a user, the malicious Javascript code executes. As of time of publication, a patch does not exist.

Key dates

02Disclosure timeline

May 30, 2023 CVE published

January 10, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-33961

Related vulnerabilities

04Related CVE

CVE-2024-2181 Beaver Builder Addons by WPZOOM <= 1.3.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Button Widget CVE-2025-53707 CVE-2024-51589 WordPress Bigmart Elements plugin <= 1.0.3 - Cross Site Scripting (XSS) vulnerability CVE-2024-3831 Enter Addons – Ultimate Template Builder for Elementor <= 2.1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Heading widget CVE-2025-12398 Product Table for WooCommerce <= 5.0.8 - Reflected Cross-Site Scripting