A SQL injection vulnerability in the alldayoffs feature in Jorani up to v1.0.4, allows an authenticated attacker to execute arbitrary SQL commands via the entity parameter.
CVSS Score
7.6
EPSS Score
0.0
Published
2026-02-17
An SQL Injection vulnerability has been found on Jorani version 1.0.0. This vulnerability allows an authenticated remote user, with low privileges, to send queries with malicious SQL code on the "/leaves/validate" path and the “id” parameter, managing to extract arbritary information from the database.
CVSS Score
8.8
EPSS Score
0.006
Published
2023-10-03
In Jorani 1.0.0, an attacker could leverage path traversal to access files and execute code on the server.
CVSS Score
9.8
EPSS Score
0.927
Published
2023-08-17
Jorani v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the Acronym parameter.
CVSS Score
6.1
EPSS Score
0.004
Published
2023-01-27
Jorani v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at application/controllers/Leaves.php.
CVSS Score
9.8
EPSS Score
0.019
Published
2022-06-28
Jorani v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the Comment parameter at application/controllers/Leaves.php.
CVSS Score
6.1
EPSS Score
0.005
Published
2022-06-28
Jorani v1.0 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /application/controllers/Users.php.
CVSS Score
8.8
EPSS Score
0.001
Published
2022-06-28