CVE-2023-53870

This is a reflected cross-site scripting (XSS) vulnerability in Jorani 1.0.3 (and possibly earlier versions). The root cause is a failure to sanitize user input in the language parameter sent to the /session/login endpoint. As the Exploit-DB entry demonstrates, input like 75943";alert(1)//569 is echoed unmodified in the response, escaping a JavaScript string encapsulated in double quotation marks [1]. This is a classic instance of CWE-79: Improper Neutralization of Input During Web Page Generation [3].

The attack surface requires no authentication; the vulnerable endpoint is the login page, accessible to any unauthenticated user. An attacker can craft a URL containing a malicious language parameter (for example, language=en-GBarh5l%22%3e%3cscript%3ealert(document.cookie)%3c%2fscript%3ennois as shown in [1]) and trick a victim into visiting it via phishing or other delivery methods. The JavaScript payload then executes in the context of the victim's browser session on the Jorani application.

Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim's browser. This can lead to theft of session cookies (as demonstrated by the alert(document.cookie) payload), enabling session hijacking. Additionally, the attacker can perform actions on behalf of the victim, such as modifying requests or accessing sensitive information disclosed in the page [1][2]. The vendor application is an open-source leave and overtime management system, making this a risk for organizations using Jorani for employee self-service.

As of the publication of this advisory, no official patch has been confirmed, though the software is open-source and maintainers may have addressed it in later commits. Users are strongly advised to upgrade to a version newer than 1.0.3 if available, or to apply a workaround such as filtering or encoding the language parameter on the server side. The vulnerability is confirmed by the vendor's demo site and the Exploit-DB proof-of-concept [1][3].