CVE-2020-5292 Information

Description

Leantime before versions 2.0.15 and 2.1-beta3 has a SQL Injection vulnerability. The impact is high. Malicious users/attackers can execute arbitrary SQL queries negatively affecting the confidentiality integrity and availability of the site. Attackers can exfiltrate data like the users’ and administrators’ password hashes modify data or drop tables. The unescaped parameter is \searchUsers\ when sending a POST request to /tickets/showKanban\ with a valid session. In the code the parameter is named \users\ in class.tickets.php. This issue is fixed in versions 2.0.15 and 2.1.0 beta 3.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Reference

https://github.com/Leantime/leantime/commit/af0807f0b2c4c3c914b93f1c5d940e6b875f231f https://github.com/Leantime/leantime/pull/181 https://github.com/Leantime/leantime/security/advisories/GHSA-ww6x-rhvp-55hp

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

8.8