Marcelfolaron

**Name of the Vulnerable Software and Affected Versions** Leantime versions prior to 2.0.15 Leantime versions prior to 2.1-beta3 **Description** The issue allows malicious users to execute arbitrary SQL queries, which can negatively affect the confidentiality, integrity, and availability of the site. This can lead to data exfiltration, such as users' and administrators' password hashes, modification of data, or dropping of tables. The vulnerability is triggered by sending a POST request to "/tickets/showKanban" with a valid session and exploiting the unescaped `searchUsers` parameter, also referred to as `users` in the class.tickets.php file. **Recommendations** For versions prior to 2.0.15, update to version 2.0.15 or later. For versions prior to 2.1-beta3, update to version 2.1.0 beta 3 or later.