CVE-2024-27477 identifies a stored Cross-Site Scripting (XSS) vulnerability in Leantime version 3.0.6, specifically within the ticket (to-do) creation and modification functionality. The vulnerability arises because the application fails to properly sanitize or encode user-supplied input in the ticket title field, allowing attackers to inject malicious JavaScript code that is stored persistently in the system. When other users or administrators view the affected tickets, the malicious script executes in their browsers, potentially stealing session tokens, performing actions on behalf of the user, or manipulating the interface. Uniquely, this XSS can be chained to perform Server-Side Request Forgery (SSRF) attacks, where the injected script causes the server to make unauthorized HTTP requests to internal or external resources, potentially exposing sensitive internal services or data. The vulnerability is remotely exploitable over the network without requiring authentication but does require user interaction (viewing the malicious ticket). The CVSS 3.1 base score is 6.1, reflecting medium severity with low attack complexity and no privileges required. No patches or official fixes have been released at the time of publication, and no known exploits are reported in the wild. The underlying weakness corresponds to CWE-79 (Improper Neutralization of Input During Web Page Generation).

This vulnerability can lead to unauthorized execution of malicious scripts in the context of users’ browsers, compromising confidentiality and integrity of user sessions and data. The SSRF capability extends the impact by enabling attackers to pivot from the client-side to the server-side, potentially accessing internal services, bypassing firewalls, or exfiltrating sensitive information. For organizations, this could mean exposure of internal network resources, unauthorized data access, and potential lateral movement within the infrastructure. The medium CVSS score indicates a moderate risk, but the chained SSRF attack increases the threat surface. Public-facing Leantime installations used for project and task management are particularly at risk, as attackers can target users with crafted tickets. The absence of patches increases the window of exposure. While no active exploitation is reported, the vulnerability could be weaponized by attackers targeting organizations relying on Leantime for collaboration, especially those with sensitive internal networks accessible from the server.

Organizations should immediately review and restrict input validation on the ticket title field to disallow or properly encode HTML and JavaScript content. Implement strict Content Security Policy (CSP) headers to reduce the impact of any injected scripts. Monitor logs for unusual ticket creation or modification activity that includes suspicious script tags or payloads. If possible, restrict access to the ticketing system to trusted users and networks until a patch is available. Employ web application firewalls (WAFs) with rules targeting XSS payloads and SSRF patterns. Educate users to avoid clicking on suspicious ticket links or content. Developers should prioritize releasing a patch that sanitizes and encodes user inputs correctly and validates server-side requests to prevent SSRF. Additionally, network segmentation and limiting server outbound requests can reduce SSRF impact. Regularly update and audit the Leantime installation and dependencies for security fixes.