CVE-2020-5292
HIGHLeantime < 2.0.15 - Authenticated SQL Injection via searchUsers Parameter
Title source: llmDescription
Leantime before versions 2.0.15 and 2.1-beta3 has a SQL Injection vulnerability. The impact is high. Malicious users/attackers can execute arbitrary SQL queries negatively affecting the confidentiality, integrity, and availability of the site. Attackers can exfiltrate data like the users' and administrators' password hashes, modify data, or drop tables. The unescaped parameter is "searchUsers" when sending a POST request to "/tickets/showKanban" with a valid session. In the code, the parameter is named "users" in class.tickets.php. This issue is fixed in versions 2.0.15 and 2.1.0 beta 3.
References (3)
Core 3
Core References
Third Party Advisory x_refsource_confirm
https://github.com/Leantime/leantime/security/advisories/GHSA-ww6x-rhvp-55hp
Patch, Third Party Advisory x_refsource_misc
https://github.com/Leantime/leantime/pull/181
Patch, Third Party Advisory x_refsource_misc
https://github.com/Leantime/leantime/commit/af0807f0b2c4c3c914b93f1c5d940e6b875f231f
Scores
CVSS v3
8.7
EPSS
0.0140
EPSS Percentile
69.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Details
CWE
CWE-89
Status
published
Products (1)
leantime/leantime
< 2.0.15
Published
Mar 31, 2020
Tracked Since
Feb 18, 2026