Insights by Jobyer Ahmed
Founder & Security Lead, Bytium
Leads penetration testing and detection engineering at Bytium, focusing on exploit-backed findings, practical remediation, and verified closure.
Leantime 3.8.0 Broken Access Control
Leantime is a popular open-source project-management app. Its front-end talks to a JSON-RPC API, and several of those API methods forgot to check *who* is calling them. We already covered how that lets any low-privilege user make themselves an administrator.
Leantime 3.8.0 Privilege Escalation Vulnerability
A broken access control flaw (CWE-862) in Leantime ≤3.8.0 lets any authenticated low-privilege user escalate to Owner via the JSON-RPC API. PoC, impact, and fix.
Krayin CRM 2.2.0 - Authenticated Arbitrary File Upload to RCE
Krayin CRM 2.2.0 ships a TinyMCE media-upload endpoint that accepts any file extension and stores the result on a publicly served Laravel disk
Krayin CRM 2.2.0 - Authenticated Blind SQL Injection in Leads DataGrid
Krayin CRM 2.2.0 contains an authenticated blind time-based SQL injection in the Leads DataGrid. The `rotten_lead[in]` request parameter is concatenated directly into a `havingRaw()` expression without parameter binding, exposing the database to byte-by-byte extraction by any authenticated staff user
Krayin CRM 2.2.0 - Cross-User IDOR Across Lead, Contact, and Activity Controllers
Authenticated cross user idor vulnerability has been identified in Webkul's Krain CRM 2.2.0.
Blind SQL Injection in Perfex CRM 3.4.1
Perfex CRM 3.4.1 pastes the `sort_by` request parameter directly into an ORDER BY clause with CodeIgniter's identifier escaping disabled. Any staff account — admin flag not required, zero role permissions is enough — can exploit this blind time-based SQL injection to read the entire application database, including the bcrypt-wrapped phpass hashes in `tblstaff.password`.