CVE-2018-15918 in Jorani
Summary
by MITRE
An issue was discovered in Jorani 0.6.5. SQL Injection (error-based) allows a user of the application without permissions to read and modify sensitive information from the database used by the application via the startdate or enddate parameter to leaves/validate.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 07/06/2025
The vulnerability identified as CVE-2018-15918 represents a critical SQL injection flaw in Jorani version 0.6.5 that exposes the application to unauthorized data access and manipulation. This security weakness specifically affects the leave validation functionality where the application fails to properly sanitize user input parameters, creating an avenue for malicious actors to exploit the system's database layer through error-based SQL injection techniques. The vulnerability is particularly concerning because it allows unauthenticated attackers to execute arbitrary SQL commands against the underlying database, potentially compromising sensitive employee information and organizational data integrity.
The technical implementation of this vulnerability occurs through the startdate and enddate parameters within the leaves/validate endpoint of the Jorani application. When these parameters are processed without proper input validation or parameterized query construction, attackers can inject malicious SQL payloads that leverage database error messages to extract information from the system. This error-based SQL injection approach enables attackers to infer database structure, content, and potentially execute destructive operations such as data modification, deletion, or unauthorized access to sensitive employee records including personal information, leave balances, and organizational hierarchy data.
The operational impact of this vulnerability extends beyond simple data exposure to encompass potential system compromise and regulatory compliance violations. Organizations utilizing Jorani 0.6.5 face significant risk of unauthorized access to employee personal data, which could result in privacy breaches, identity theft, and violation of data protection regulations such as GDPR, HIPAA, or other applicable privacy laws. The vulnerability's accessibility to unauthenticated users means that even individuals without legitimate application permissions can exploit the flaw, creating a substantial security risk for organizations that store sensitive personnel information within the system.
From a cybersecurity framework perspective, this vulnerability aligns with CWE-89 which specifically addresses SQL injection flaws, and maps to ATT&CK technique T1071.004 for application layer protocol manipulation. The attack surface is particularly dangerous because it targets the database layer through a web application interface, allowing attackers to escalate privileges and potentially move laterally within the network. Organizations should implement immediate mitigations including input validation, parameterized queries, and proper access controls while also considering the broader implications for their security posture and compliance requirements. The vulnerability demonstrates the critical importance of proper input sanitization and the potential consequences of failing to implement secure coding practices in web applications that handle sensitive data.