Jorani SQL Injection
INCIBE-2023-0196
Jorani 1.0.0 version.
INCIBE has coordinated the publication of a vulnerability in Jorani, an application to manage work absences, which has been discovered by David Utón Amaya (m3n0sd0n4ld).
CVE-2023-2681 has been assigned to this vulnerability.
A CVSS v3.1 base score of 8,8 has been calculated; the CVSS vector string is: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.
The vulnerability type is CWE-89: Improper Neutralization of special elements used in a SQL command (SQL injection).
This vulnerability has been solved in the 1.0.2 version, released on May 1th.
An SQL Injection vulnerability has been found on Jorani version 1.0.0. This vulnerability allows an authenticated remote user, with low privileges, to send queries with malicious SQL code on the "/leaves/validate" path and the “id” parameter, managing to extract arbritary information from the database.