CVE-2023-2681 Information

Description

An SQL Injection vulnerability has been found on Jorani version 1.0.0. This vulnerability allows an authenticated remote user with low privileges to send queries with malicious SQL code on the /leaves/validate\ path and the “id” parameter managing to extract arbritary information from the database.

Reference

https://www.incibe.es/en/incibe-cert/notices/aviso/jorani-sql-injection