Search criteria

2 vulnerabilities found for titra by kromitgmbh

CVE-2025-69288 (GCVE-0-2025-69288)

Vulnerability from nvd – Published: 2025-12-31 21:55 – Updated: 2025-12-31 21:55
VLAI?
Title
Titra has Remote Code Execution in Admin Functionality
Summary
Titra is open source project time tracking software. Prior to version 0.99.49, Titra allows any authenticated Admin user to modify the timeEntryRule in the database. The value is then passed to a NodeVM value to execute as code. Without sanitization, it leads to a Remote Code Execution. Version 0.99.49 fixes the issue.
Severity ?
9.1 (Critical)
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CWE
  • CWE-20 - Improper Input Validation
Assigner
References
Impacted products
Vendor Product Version
kromitgmbh titra Affected: < 0.99.49
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "product": "titra",
          "vendor": "kromitgmbh",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.99.49"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Titra is open source project time tracking software. Prior to version 0.99.49, Titra allows any authenticated Admin user to modify the timeEntryRule in the database. The value is then passed to a NodeVM value to execute as code. Without sanitization, it leads to a Remote Code Execution. Version 0.99.49 fixes the issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-20",
              "description": "CWE-20: Improper Input Validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-31T21:55:44.667Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/kromitgmbh/titra/security/advisories/GHSA-pqgx-6wg3-gmvr",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/kromitgmbh/titra/security/advisories/GHSA-pqgx-6wg3-gmvr"
        },
        {
          "name": "https://github.com/kromitgmbh/titra/commit/2e2ac5cbeed47a76720b21c7fde0214a242e065e",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/kromitgmbh/titra/commit/2e2ac5cbeed47a76720b21c7fde0214a242e065e"
        },
        {
          "name": "https://github.com/kromitgmbh/titra/releases/tag/0.99.49",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/kromitgmbh/titra/releases/tag/0.99.49"
        }
      ],
      "source": {
        "advisory": "GHSA-pqgx-6wg3-gmvr",
        "discovery": "UNKNOWN"
      },
      "title": "Titra has Remote Code Execution in Admin Functionality"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-69288",
    "datePublished": "2025-12-31T21:55:44.667Z",
    "dateReserved": "2025-12-31T16:39:43.832Z",
    "dateUpdated": "2025-12-31T21:55:44.667Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-69288 (GCVE-0-2025-69288)

Vulnerability from cvelistv5 – Published: 2025-12-31 21:55 – Updated: 2025-12-31 21:55
VLAI?
Title
Titra has Remote Code Execution in Admin Functionality
Summary
Titra is open source project time tracking software. Prior to version 0.99.49, Titra allows any authenticated Admin user to modify the timeEntryRule in the database. The value is then passed to a NodeVM value to execute as code. Without sanitization, it leads to a Remote Code Execution. Version 0.99.49 fixes the issue.
Severity ?
9.1 (Critical)
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CWE
  • CWE-20 - Improper Input Validation
Assigner
References
Impacted products
Vendor Product Version
kromitgmbh titra Affected: < 0.99.49
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "product": "titra",
          "vendor": "kromitgmbh",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.99.49"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Titra is open source project time tracking software. Prior to version 0.99.49, Titra allows any authenticated Admin user to modify the timeEntryRule in the database. The value is then passed to a NodeVM value to execute as code. Without sanitization, it leads to a Remote Code Execution. Version 0.99.49 fixes the issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-20",
              "description": "CWE-20: Improper Input Validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-31T21:55:44.667Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/kromitgmbh/titra/security/advisories/GHSA-pqgx-6wg3-gmvr",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/kromitgmbh/titra/security/advisories/GHSA-pqgx-6wg3-gmvr"
        },
        {
          "name": "https://github.com/kromitgmbh/titra/commit/2e2ac5cbeed47a76720b21c7fde0214a242e065e",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/kromitgmbh/titra/commit/2e2ac5cbeed47a76720b21c7fde0214a242e065e"
        },
        {
          "name": "https://github.com/kromitgmbh/titra/releases/tag/0.99.49",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/kromitgmbh/titra/releases/tag/0.99.49"
        }
      ],
      "source": {
        "advisory": "GHSA-pqgx-6wg3-gmvr",
        "discovery": "UNKNOWN"
      },
      "title": "Titra has Remote Code Execution in Admin Functionality"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-69288",
    "datePublished": "2025-12-31T21:55:44.667Z",
    "dateReserved": "2025-12-31T16:39:43.832Z",
    "dateUpdated": "2025-12-31T21:55:44.667Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}