jorani 関連製品全体の CVE とセキュリティ脆弱性情報を集約し、CVSS、EPSS、公開日、脆弱性情報データを掲載しています。
過去の問題は主に vendor risk sql injection and vendor risk cross-site scripting などに関し、一部は vendor impact session compromise を招き、vendor surface software deployment and vendor surface production workloads 関連の場面に影響します。
掲載データは公開脆弱性情報とセキュリティ公告に基づき、過去の暴露面と修補優先度の評価に利用できます。
| CVE | 概要 | ソース | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|---|
| CVE-2025-67102 | A SQL injection vulnerability in the alldayoffs feature in Jorani up to v1.0.4, allows an authenticated attacker to execute arbitrary SQL commands via the entity parameter. | [email protected] | 7.6 | 0.22% | 2026-02-17 | 2026-06-17 |
| CVE-2023-53870 | Jorani 1.0.3 contains a reflected cross-site scripting vulnerability in the language parameter that allows attackers to inject malicious scripts. Attackers can craft XSS payloads in the language parameter to execute arbitrary JavaScript and potentially steal user session information. | [email protected] | 5.1 | 0.30% | 2025-12-15 | 2026-06-17 |
| CVE-2023-48205 | Jorani Leave Management System 1.0.2 allows a remote attacker to spoof a Host header associated with password reset emails. | [email protected] | 5.3 | 0.76% | 2023-12-07 | 2026-06-17 |
| CVE-2023-45540 | An issue in Jorani Leave Management System 1.0.3 allows a remote attacker to execute arbitrary HTML code via a crafted script to the comment field of the List of Leave requests page. | [email protected] | 6.5 | 0.52% | 2023-10-16 | 2026-06-17 |
| CVE-2023-2681 | An SQL Injection vulnerability has been found on Jorani version 1.0.0. This vulnerability allows an authenticated remote user, with low privileges, to send queries with malicious SQL code on the "/leaves/validate" path and the “id” parameter, managing to extract arbritary information from the database. | [email protected] | 8.8 | 0.56% | 2023-10-03 | 2026-06-17 |
| CVE-2023-26469 | In Jorani 1.0.0, an attacker could leverage path traversal to access files and execute code on the server. | [email protected] | 9.8 | 81.92% | 2023-08-17 | 2026-06-17 |
| CVE-2022-48118 | Jorani v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the Acronym parameter. | [email protected] | 6.1 | 0.47% | 2023-01-27 | 2026-06-17 |
| CVE-2022-34134 | Jorani v1.0 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /application/controllers/Users.php. | [email protected] | 8.8 | 0.37% | 2022-06-27 | 2026-06-17 |
| CVE-2022-34133 | Jorani v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the Comment parameter at application/controllers/Leaves.php. | [email protected] | 6.1 | 0.49% | 2022-06-27 | 2026-06-17 |
| CVE-2022-34132 | Jorani v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at application/controllers/Leaves.php. | [email protected] | 9.8 | 1.26% | 2022-06-27 | 2026-06-17 |