Lucene search

PRIOn knowledge basePRION:CVE-2023-45826

HistoryOct 19, 2023 - 7:15 p.m.

Sql injection

2023-10-1919:15:00

PRIOn knowledge base

www.prio-n.com

leantime

project management

sql injection

vulnerability

userid

parameter

post request

database

confidentiality

upgrade

nvd

6.6 Medium

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

18.2%

JSON

Leantime is an open source project management system. A ‘userId’ variable in app/domain/files/repositories/class.files.php is not parameterized. An authenticated attacker can send a carefully crafted POST request to /api/jsonrpc to exploit an SQL injection vulnerability. Confidentiality is impacted as it allows for dumping information from the database. This issue has been addressed in version 2.4-beta-4. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CPENameOperatorVersion
leantimeeq2.4 beta
leantimeeq2.4 beta2
leantimeeq2.4 beta3
leantimeeq2.4
leantimelt2.4

Name	Operator	Version
leantime	eq	2.4 beta
leantime	eq	2.4 beta2
leantime	eq	2.4 beta3
leantime	eq	2.4
leantime	lt	2.4

References

github.com/Leantime/leantime/commit/be75f1e0f311d11c00a0bdc7079a62eef3594bf0

github.com/Leantime/leantime/security/advisories/GHSA-559g-3h98-g3fj