Jorani SQL Injection

Posted date 29/05/2023
Identificador

INCIBE-2023-0196

Importance
4 - High
Affected Resources

Jorani 1.0.0 version.

Description

INCIBE has coordinated the publication of a vulnerability in Jorani, an application to manage work absences, which has been discovered by David Utón Amaya (m3n0sd0n4ld).

CVE-2023-2681 has been assigned to this vulnerability.

A CVSS v3.1 base score of 8,8 has been calculated; the CVSS vector string is: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.

The vulnerability type is CWE-89: Improper Neutralization of special elements used in a SQL command (SQL injection).

Solution

This vulnerability has been solved in the 1.0.2 version, released on May 1th.

Detail

An SQL Injection vulnerability has been found on Jorani version 1.0.0. This vulnerability allows an authenticated remote user, with low privileges, to send queries with malicious SQL code on the "/leaves/validate" path and the “id” parameter, managing to extract arbritary information from the database.