CVE-2024-27474 – CVE Helper

README.md

Rendering markdown...

POC / CVE-2024-27476.md MD

⬇ Raw GitHub ✕ Close

## HTML Injection
```<a href=http://192.168.2.46:8000/hacked.html>HTML Injection</a>```

Under /dashboard/show#/tickets/newTicket create a ticket with the above-mentioned HTML
![image](https://github.com/dead1nfluence/Leantime-POC/assets/152615382/5793eda8-cfcc-4b5c-b247-b2d066fc731e)

Click “Save & Close”

![image](https://github.com/dead1nfluence/Leantime-POC/assets/152615382/8dedbad8-e8b5-4889-9578-70f1df41d359)

When a user clicks the “HTML Injection” To-do they will be redirected to an attacker-controlled domain.
In the example below, they are directed to a login page which could be used to phish their credentials.

![image](https://github.com/dead1nfluence/Leantime-POC/assets/152615382/95f9e6a8-d1e7-4954-92c7-29ee24e74704)