Leantime before versions 2.0.15 and 2.1-beta3 has a SQL Injection vulnerability.

Vulnerability type

Authenticated Blind SQL Injection

Impact & Description

The impact is high. Malicious users/attackers can execute arbitrary SQL queries negatively affecting the confidentiality, integrity, and availability of the site. Attackers can exfiltrate data like the users’ and administrators’ password hashes, modify data, or drop tables. The unescaped parameter is “searchUsers” when sending a POST request to “/tickets/showKanban” with a valid session. In the code, the parameter is named “users” in class.tickets.php.

Patches

2.0.15 or 2.1.0 beta 3

References

To-Do searches didn’t escape the “users” parameter correctly. All values are now escaped.

For more information

If you have any questions or comments about this advisory:

• Open an issue in https://github.com/Leantime/leantime/issues
• Email us at support@leantime.io

• References
  Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
  CONFIRM:https://github.com/Leantime/leantime/security/advisories/GHSA-ww6x-rhvp-55hp MISC:https://github.com/Leantime/leantime/commit/af0807f0b2c4c3c914b93f1c5d940e6b875f231f MISC:https://github.com/Leantime/leantime/pull/181