CVE-2018-15918

MEDIUM

Jorani 0.6.5 - SQL Injection via Startdate or Enddate Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-15918. PoCs published by Javier Olmedo.

AI-analyzed exploit summary This PoC demonstrates an SQL injection vulnerability in Jorani Leave Management System 0.6.5 via the 'startdate' and 'enddate' parameters in a POST request to '/leaves/validate'. The exploit uses error-based techniques to extract database information.

Description

An issue was discovered in Jorani 0.6.5. SQL Injection (error-based) allows a user of the application without permissions to read and modify sensitive information from the database used by the application via the startdate or enddate parameter to leaves/validate.

Exploits (1)

exploitdb WORKING POC VERIFIED
by Javier Olmedo · textwebappsphp
https://www.exploit-db.com/exploits/45340

This PoC demonstrates an SQL injection vulnerability in Jorani Leave Management System 0.6.5 via the 'startdate' and 'enddate' parameters in a POST request to '/leaves/validate'. The exploit uses error-based techniques to extract database information.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: Jorani Leave Management System 0.6.5
Auth required
Prerequisites: Valid session cookies · Access to the '/leaves/validate' endpoint
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/45340/
Issue Tracking, Vendor Advisory x_refsource_misc
https://github.com/bbalet/jorani/issues/254

Scores

CVSS v3 5.4
EPSS 0.0287
EPSS Percentile 85.0%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Details

CWE
CWE-89
Status published
Products (1)
jorani_project/jorani 0.6.5
Published Sep 05, 2018
Tracked Since Feb 18, 2026