Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
13 vulnerabilities by anuko
CVE-2023-32308 (GCVE-0-2023-32308)
Vulnerability from cvelistv5 – Published: 2023-05-15 20:47 – Updated: 2025-01-22 21:40
VLAI?
Title
SQL Injection Vulnerability in anuko timetracker
Summary
anuko timetracker is an open source time tracking system. Boolean-based blind SQL injection vulnerability existed in Time Tracker invoices.php in versions prior to 1.22.11.5781. This was happening because of a coding error after validating parameters in POST requests. There was no check for errors before adjusting invoice sorting order. Because of this, it was possible to craft a POST request with malicious SQL for Time Tracker database. This issue has been fixed in version 1.22.11.5781. Users are advised to upgrade. Users unable to upgrade may insert an additional check for errors in a condition before calling `ttGroupHelper::getActiveInvoices()` in invoices.php.
Severity ?
8.2 (High)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| anuko | timetracker |
Affected:
< 1.22.11.5781
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:10:24.463Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/anuko/timetracker/security/advisories/GHSA-9g2c-7c7g-p58r",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/anuko/timetracker/security/advisories/GHSA-9g2c-7c7g-p58r"
},
{
"name": "https://github.com/anuko/timetracker/commit/8a7367d7f77ea697c090f5ca4e19669181cc7bcf",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/anuko/timetracker/commit/8a7367d7f77ea697c090f5ca4e19669181cc7bcf"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-32308",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-22T21:40:47.659773Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-22T21:40:50.490Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "timetracker",
"vendor": "anuko",
"versions": [
{
"status": "affected",
"version": "\u003c 1.22.11.5781"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "anuko timetracker is an open source time tracking system. Boolean-based blind SQL injection vulnerability existed in Time Tracker invoices.php in versions prior to 1.22.11.5781. This was happening because of a coding error after validating parameters in POST requests. There was no check for errors before adjusting invoice sorting order. Because of this, it was possible to craft a POST request with malicious SQL for Time Tracker database. This issue has been fixed in version 1.22.11.5781. Users are advised to upgrade. Users unable to upgrade may insert an additional check for errors in a condition before calling `ttGroupHelper::getActiveInvoices()` in invoices.php."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-15T20:47:06.537Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/anuko/timetracker/security/advisories/GHSA-9g2c-7c7g-p58r",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/anuko/timetracker/security/advisories/GHSA-9g2c-7c7g-p58r"
},
{
"name": "https://github.com/anuko/timetracker/commit/8a7367d7f77ea697c090f5ca4e19669181cc7bcf",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/anuko/timetracker/commit/8a7367d7f77ea697c090f5ca4e19669181cc7bcf"
}
],
"source": {
"advisory": "GHSA-9g2c-7c7g-p58r",
"discovery": "UNKNOWN"
},
"title": "SQL Injection Vulnerability in anuko timetracker"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-32308",
"datePublished": "2023-05-15T20:47:06.537Z",
"dateReserved": "2023-05-08T13:26:03.878Z",
"dateUpdated": "2025-01-22T21:40:50.490Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-32306 (GCVE-0-2023-32306)
Vulnerability from cvelistv5 – Published: 2023-05-12 18:52 – Updated: 2025-01-23 20:27
VLAI?
Title
Time Tracker has Blind SQL Injection Vulnerability in Reports
Summary
Time Tracker is an open source time tracking system. A time-based blind injection vulnerability existed in Time Tracker reports in versions prior to 1.22.13.5792. This was happening because the `reports.php` page was not validating all parameters in POST requests. Because some parameters were not checked, it was possible to craft POST requests with malicious SQL for Time Tracker database. This issue is fixed in version 1.22.13.5792. As a workaround, use the fixed code in `ttReportHelper.class.php` from version 1.22.13.5792.
Severity ?
8.8 (High)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| anuko | timetracker |
Affected:
< 1.22.13.5792
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:10:24.449Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/anuko/timetracker/security/advisories/GHSA-758x-vg7g-j9j3",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/anuko/timetracker/security/advisories/GHSA-758x-vg7g-j9j3"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-32306",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-23T20:27:15.509612Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-23T20:27:39.713Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "timetracker",
"vendor": "anuko",
"versions": [
{
"status": "affected",
"version": "\u003c 1.22.13.5792"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Time Tracker is an open source time tracking system. A time-based blind injection vulnerability existed in Time Tracker reports in versions prior to 1.22.13.5792. This was happening because the `reports.php` page was not validating all parameters in POST requests. Because some parameters were not checked, it was possible to craft POST requests with malicious SQL for Time Tracker database. This issue is fixed in version 1.22.13.5792. As a workaround, use the fixed code in `ttReportHelper.class.php` from version 1.22.13.5792."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-12T18:52:59.374Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/anuko/timetracker/security/advisories/GHSA-758x-vg7g-j9j3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/anuko/timetracker/security/advisories/GHSA-758x-vg7g-j9j3"
}
],
"source": {
"advisory": "GHSA-758x-vg7g-j9j3",
"discovery": "UNKNOWN"
},
"title": "Time Tracker has Blind SQL Injection Vulnerability in Reports"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-32306",
"datePublished": "2023-05-12T18:52:59.374Z",
"dateReserved": "2023-05-08T13:26:03.877Z",
"dateUpdated": "2025-01-23T20:27:39.713Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-32066 (GCVE-0-2023-32066)
Vulnerability from cvelistv5 – Published: 2023-05-09 15:28 – Updated: 2025-01-28 16:01
VLAI?
Title
Time Tracker has Stored XSS vulnerability in Week View plugin
Summary
Time Tracker is an open source time tracking system. The week view plugin in Time Tracker versions 1.22.11.5782 and prior was not escaping titles for notes in week view table. Because of that, it was possible for a logged in user to enter notes with elements of JavaScript. Such script could then be executed in user browser on subsequent requests to week view. This issue is fixed in version 1.22.12.5783. As a workaround, use `htmlspecialchars` when calling `$field->setTitle` on line #245 in the `week.php` file, as happens in version 1.22.12.5783.
Severity ?
5.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| anuko | timetracker |
Affected:
< 1.22.12.5783
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:03:28.639Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/anuko/timetracker/security/advisories/GHSA-jw2g-8wvp-9frw",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/anuko/timetracker/security/advisories/GHSA-jw2g-8wvp-9frw"
},
{
"name": "https://github.com/anuko/timetracker/commit/093cfe158099704ffd4a1624be217f9935e914eb",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/anuko/timetracker/commit/093cfe158099704ffd4a1624be217f9935e914eb"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-32066",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-28T16:00:10.835320Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-28T16:01:00.296Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "timetracker",
"vendor": "anuko",
"versions": [
{
"status": "affected",
"version": "\u003c 1.22.12.5783"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Time Tracker is an open source time tracking system. The week view plugin in Time Tracker versions 1.22.11.5782 and prior was not escaping titles for notes in week view table. Because of that, it was possible for a logged in user to enter notes with elements of JavaScript. Such script could then be executed in user browser on subsequent requests to week view. This issue is fixed in version 1.22.12.5783. As a workaround, use `htmlspecialchars` when calling `$field-\u003esetTitle` on line #245 in the `week.php` file, as happens in version 1.22.12.5783."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-09T15:28:50.596Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/anuko/timetracker/security/advisories/GHSA-jw2g-8wvp-9frw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/anuko/timetracker/security/advisories/GHSA-jw2g-8wvp-9frw"
},
{
"name": "https://github.com/anuko/timetracker/commit/093cfe158099704ffd4a1624be217f9935e914eb",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/anuko/timetracker/commit/093cfe158099704ffd4a1624be217f9935e914eb"
}
],
"source": {
"advisory": "GHSA-jw2g-8wvp-9frw",
"discovery": "UNKNOWN"
},
"title": "Time Tracker has Stored XSS vulnerability in Week View plugin"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-32066",
"datePublished": "2023-05-09T15:28:50.596Z",
"dateReserved": "2023-05-01T16:47:35.314Z",
"dateUpdated": "2025-01-28T16:01:00.296Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-24707 (GCVE-0-2022-24707)
Vulnerability from cvelistv5 – Published: 2022-02-23 23:50 – Updated: 2025-04-22 18:21
VLAI?
Title
SQL injection in anuko timetracker
Summary
Anuko Time Tracker is an open source, web-based time tracking application written in PHP. UNION SQL injection and time-based blind injection vulnerabilities existed in Time Tracker Puncher plugin in versions of anuko timetracker prior to 1.20.0.5642. This was happening because the Puncher plugin was reusing code from other places and was relying on an unsanitized date parameter in POST requests. Because the parameter was not checked, it was possible to craft POST requests with malicious SQL for Time Tracker database. This issue has been resolved in in version 1.20.0.5642. Users unable to upgrade are advised to add their own checks to input.
Severity ?
7.4 (High)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| anuko | timetracker |
Affected:
< 1.20.0.5642
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:20:49.147Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/anuko/timetracker/security/advisories/GHSA-wqx7-95fx-wjxj"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/anuko/timetracker/commit/0e2d6563e2d969209c502a1eae4ddd8e87b73299"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/167060/Anuko-Time-Tracker-1.20.0.5640-SQL-Injection.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-24707",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-22T15:49:37.900340Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-22T18:21:26.269Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "timetracker",
"vendor": "anuko",
"versions": [
{
"status": "affected",
"version": "\u003c 1.20.0.5642"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Anuko Time Tracker is an open source, web-based time tracking application written in PHP. UNION SQL injection and time-based blind injection vulnerabilities existed in Time Tracker Puncher plugin in versions of anuko timetracker prior to 1.20.0.5642. This was happening because the Puncher plugin was reusing code from other places and was relying on an unsanitized date parameter in POST requests. Because the parameter was not checked, it was possible to craft POST requests with malicious SQL for Time Tracker database. This issue has been resolved in in version 1.20.0.5642. Users unable to upgrade are advised to add their own checks to input."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-11T19:06:26.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/anuko/timetracker/security/advisories/GHSA-wqx7-95fx-wjxj"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/anuko/timetracker/commit/0e2d6563e2d969209c502a1eae4ddd8e87b73299"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/167060/Anuko-Time-Tracker-1.20.0.5640-SQL-Injection.html"
}
],
"source": {
"advisory": "GHSA-wqx7-95fx-wjxj",
"discovery": "UNKNOWN"
},
"title": "SQL injection in anuko timetracker",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-24707",
"STATE": "PUBLIC",
"TITLE": "SQL injection in anuko timetracker"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "timetracker",
"version": {
"version_data": [
{
"version_value": "\u003c 1.20.0.5642"
}
]
}
}
]
},
"vendor_name": "anuko"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Anuko Time Tracker is an open source, web-based time tracking application written in PHP. UNION SQL injection and time-based blind injection vulnerabilities existed in Time Tracker Puncher plugin in versions of anuko timetracker prior to 1.20.0.5642. This was happening because the Puncher plugin was reusing code from other places and was relying on an unsanitized date parameter in POST requests. Because the parameter was not checked, it was possible to craft POST requests with malicious SQL for Time Tracker database. This issue has been resolved in in version 1.20.0.5642. Users unable to upgrade are advised to add their own checks to input."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/anuko/timetracker/security/advisories/GHSA-wqx7-95fx-wjxj",
"refsource": "CONFIRM",
"url": "https://github.com/anuko/timetracker/security/advisories/GHSA-wqx7-95fx-wjxj"
},
{
"name": "https://github.com/anuko/timetracker/commit/0e2d6563e2d969209c502a1eae4ddd8e87b73299",
"refsource": "MISC",
"url": "https://github.com/anuko/timetracker/commit/0e2d6563e2d969209c502a1eae4ddd8e87b73299"
},
{
"name": "http://packetstormsecurity.com/files/167060/Anuko-Time-Tracker-1.20.0.5640-SQL-Injection.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/167060/Anuko-Time-Tracker-1.20.0.5640-SQL-Injection.html"
}
]
},
"source": {
"advisory": "GHSA-wqx7-95fx-wjxj",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-24707",
"datePublished": "2022-02-23T23:50:14.000Z",
"dateReserved": "2022-02-10T00:00:00.000Z",
"dateUpdated": "2025-04-22T18:21:26.269Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-24708 (GCVE-0-2022-24708)
Vulnerability from cvelistv5 – Published: 2022-02-23 23:50 – Updated: 2025-04-23 19:00
VLAI?
Title
Stored XSS vulnerability in anuko/timetracker
Summary
Anuko Time Tracker is an open source, web-based time tracking application written in PHP. ttUser.class.php in Time Tracker versions prior to 1.20.0.5646 was not escaping primary group name for display. Because of that, it was possible for a logged in user to modify primary group name with elements of JavaScript. Such script could then be executed in user browser on subsequent requests on pages where primary group name was displayed. This is vulnerability has been fixed in version 1.20.0.5646. Users who are unable to upgrade may modify ttUser.class.php to use an additional call to htmlspecialchars when printing group name.
Severity ?
6.5 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| anuko | timetracker |
Affected:
< 1.20.0.5646
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:20:49.874Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/anuko/timetracker/security/advisories/GHSA-rgcm-xgvj-5mqh"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/anuko/timetracker/commit/6aaad31630500d13b6c8459daa9f406fd5eb4330"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-24708",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T14:09:57.944603Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T19:00:40.196Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "timetracker",
"vendor": "anuko",
"versions": [
{
"status": "affected",
"version": "\u003c 1.20.0.5646"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Anuko Time Tracker is an open source, web-based time tracking application written in PHP. ttUser.class.php in Time Tracker versions prior to 1.20.0.5646 was not escaping primary group name for display. Because of that, it was possible for a logged in user to modify primary group name with elements of JavaScript. Such script could then be executed in user browser on subsequent requests on pages where primary group name was displayed. This is vulnerability has been fixed in version 1.20.0.5646. Users who are unable to upgrade may modify ttUser.class.php to use an additional call to htmlspecialchars when printing group name."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-02-23T23:50:09.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/anuko/timetracker/security/advisories/GHSA-rgcm-xgvj-5mqh"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/anuko/timetracker/commit/6aaad31630500d13b6c8459daa9f406fd5eb4330"
}
],
"source": {
"advisory": "GHSA-rgcm-xgvj-5mqh",
"discovery": "UNKNOWN"
},
"title": "Stored XSS vulnerability in anuko/timetracker",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-24708",
"STATE": "PUBLIC",
"TITLE": "Stored XSS vulnerability in anuko/timetracker"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "timetracker",
"version": {
"version_data": [
{
"version_value": "\u003c 1.20.0.5646"
}
]
}
}
]
},
"vendor_name": "anuko"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Anuko Time Tracker is an open source, web-based time tracking application written in PHP. ttUser.class.php in Time Tracker versions prior to 1.20.0.5646 was not escaping primary group name for display. Because of that, it was possible for a logged in user to modify primary group name with elements of JavaScript. Such script could then be executed in user browser on subsequent requests on pages where primary group name was displayed. This is vulnerability has been fixed in version 1.20.0.5646. Users who are unable to upgrade may modify ttUser.class.php to use an additional call to htmlspecialchars when printing group name."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/anuko/timetracker/security/advisories/GHSA-rgcm-xgvj-5mqh",
"refsource": "CONFIRM",
"url": "https://github.com/anuko/timetracker/security/advisories/GHSA-rgcm-xgvj-5mqh"
},
{
"name": "https://github.com/anuko/timetracker/commit/6aaad31630500d13b6c8459daa9f406fd5eb4330",
"refsource": "MISC",
"url": "https://github.com/anuko/timetracker/commit/6aaad31630500d13b6c8459daa9f406fd5eb4330"
}
]
},
"source": {
"advisory": "GHSA-rgcm-xgvj-5mqh",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-24708",
"datePublished": "2022-02-23T23:50:09.000Z",
"dateReserved": "2022-02-10T00:00:00.000Z",
"dateUpdated": "2025-04-23T19:00:40.196Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-43851 (GCVE-0-2021-43851)
Vulnerability from cvelistv5 – Published: 2021-12-21 23:40 – Updated: 2024-08-04 04:10
VLAI?
Title
SQL injection vulnerability in anuko timetracker
Summary
Anuko Time Tracker is an open source, web-based time tracking application written in PHP. SQL injection vulnerability exist in multiple files in Time Tracker version 1.19.33.5606 and prior due to not properly checking of the "group" and "status" parameters in POST requests. Group parameter is posted along when navigating between organizational subgroups (groups.php file). Status parameter is used in multiple files to change a status of an entity such as making a project, task, or user inactive. This issue has been patched in version 1.19.33.5607. An upgrade is highly recommended. If an upgrade is not practical, introduce ttValidStatus function as in the latest version and start using it user input check blocks wherever status field is used. For groups.php fix, introduce ttValidInteger function as in the latest version and use it in the access check block in the file.
Severity ?
8.1 (High)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| anuko | timetracker |
Affected:
< 1.19.33.5607
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:10:16.291Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/anuko/timetracker/security/advisories/GHSA-wx6x-6rq3-pqcc"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/anuko/timetracker/commit/0cf32f1046418aa2e5218b0b370064820c330c6a"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/anuko/timetracker/commit/94fda0cc0c9c20ab98d38ccc75ff040d13dc7f1b"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "timetracker",
"vendor": "anuko",
"versions": [
{
"status": "affected",
"version": "\u003c 1.19.33.5607"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Anuko Time Tracker is an open source, web-based time tracking application written in PHP. SQL injection vulnerability exist in multiple files in Time Tracker version 1.19.33.5606 and prior due to not properly checking of the \"group\" and \"status\" parameters in POST requests. Group parameter is posted along when navigating between organizational subgroups (groups.php file). Status parameter is used in multiple files to change a status of an entity such as making a project, task, or user inactive. This issue has been patched in version 1.19.33.5607. An upgrade is highly recommended. If an upgrade is not practical, introduce ttValidStatus function as in the latest version and start using it user input check blocks wherever status field is used. For groups.php fix, introduce ttValidInteger function as in the latest version and use it in the access check block in the file."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-12-21T23:40:10.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/anuko/timetracker/security/advisories/GHSA-wx6x-6rq3-pqcc"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/anuko/timetracker/commit/0cf32f1046418aa2e5218b0b370064820c330c6a"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/anuko/timetracker/commit/94fda0cc0c9c20ab98d38ccc75ff040d13dc7f1b"
}
],
"source": {
"advisory": "GHSA-wx6x-6rq3-pqcc",
"discovery": "UNKNOWN"
},
"title": "SQL injection vulnerability in anuko timetracker",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-43851",
"STATE": "PUBLIC",
"TITLE": "SQL injection vulnerability in anuko timetracker"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "timetracker",
"version": {
"version_data": [
{
"version_value": "\u003c 1.19.33.5607"
}
]
}
}
]
},
"vendor_name": "anuko"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Anuko Time Tracker is an open source, web-based time tracking application written in PHP. SQL injection vulnerability exist in multiple files in Time Tracker version 1.19.33.5606 and prior due to not properly checking of the \"group\" and \"status\" parameters in POST requests. Group parameter is posted along when navigating between organizational subgroups (groups.php file). Status parameter is used in multiple files to change a status of an entity such as making a project, task, or user inactive. This issue has been patched in version 1.19.33.5607. An upgrade is highly recommended. If an upgrade is not practical, introduce ttValidStatus function as in the latest version and start using it user input check blocks wherever status field is used. For groups.php fix, introduce ttValidInteger function as in the latest version and use it in the access check block in the file."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/anuko/timetracker/security/advisories/GHSA-wx6x-6rq3-pqcc",
"refsource": "CONFIRM",
"url": "https://github.com/anuko/timetracker/security/advisories/GHSA-wx6x-6rq3-pqcc"
},
{
"name": "https://github.com/anuko/timetracker/commit/0cf32f1046418aa2e5218b0b370064820c330c6a",
"refsource": "MISC",
"url": "https://github.com/anuko/timetracker/commit/0cf32f1046418aa2e5218b0b370064820c330c6a"
},
{
"name": "https://github.com/anuko/timetracker/commit/94fda0cc0c9c20ab98d38ccc75ff040d13dc7f1b",
"refsource": "MISC",
"url": "https://github.com/anuko/timetracker/commit/94fda0cc0c9c20ab98d38ccc75ff040d13dc7f1b"
}
]
},
"source": {
"advisory": "GHSA-wx6x-6rq3-pqcc",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-43851",
"datePublished": "2021-12-21T23:40:10.000Z",
"dateReserved": "2021-11-16T00:00:00.000Z",
"dateUpdated": "2024-08-04T04:10:16.291Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-41156 (GCVE-0-2021-41156)
Vulnerability from cvelistv5 – Published: 2021-10-18 21:10 – Updated: 2024-08-04 02:59
VLAI?
Title
Reflected XSS vulnerability
Summary
anuko/timetracker is an, open source time tracking system. In affected versions Time Tracker uses browser_today hidden control on a few pages to collect the today's date from user browsers. Because of not checking this parameter for sanity in versions prior to 1.19.30.5601, it was possible to craft an html form with malicious JavaScript, use social engineering to convince logged on users to execute a POST from such form, and have the attacker-supplied JavaScript to be executed in user's browser. This has been patched in version 1.19.30.5600. Upgrade is recommended. If it is not practical, introduce ttValidDbDateFormatDate function as in the latest version and add a call to it within the access checks block.
Severity ?
6.8 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| anuko | timetracker |
Affected:
< 1.19.30.5601
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T02:59:31.630Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/anuko/timetracker/security/advisories/GHSA-g9cc-m4p4-6xpc"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "timetracker",
"vendor": "anuko",
"versions": [
{
"status": "affected",
"version": "\u003c 1.19.30.5601"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "anuko/timetracker is an, open source time tracking system. In affected versions Time Tracker uses browser_today hidden control on a few pages to collect the today\u0027s date from user browsers. Because of not checking this parameter for sanity in versions prior to 1.19.30.5601, it was possible to craft an html form with malicious JavaScript, use social engineering to convince logged on users to execute a POST from such form, and have the attacker-supplied JavaScript to be executed in user\u0027s browser. This has been patched in version 1.19.30.5600. Upgrade is recommended. If it is not practical, introduce ttValidDbDateFormatDate function as in the latest version and add a call to it within the access checks block."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-18T21:10:10.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/anuko/timetracker/security/advisories/GHSA-g9cc-m4p4-6xpc"
}
],
"source": {
"advisory": "GHSA-g9cc-m4p4-6xpc",
"discovery": "UNKNOWN"
},
"title": "Reflected XSS vulnerability",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-41156",
"STATE": "PUBLIC",
"TITLE": "Reflected XSS vulnerability"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "timetracker",
"version": {
"version_data": [
{
"version_value": "\u003c 1.19.30.5601"
}
]
}
}
]
},
"vendor_name": "anuko"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "anuko/timetracker is an, open source time tracking system. In affected versions Time Tracker uses browser_today hidden control on a few pages to collect the today\u0027s date from user browsers. Because of not checking this parameter for sanity in versions prior to 1.19.30.5601, it was possible to craft an html form with malicious JavaScript, use social engineering to convince logged on users to execute a POST from such form, and have the attacker-supplied JavaScript to be executed in user\u0027s browser. This has been patched in version 1.19.30.5600. Upgrade is recommended. If it is not practical, introduce ttValidDbDateFormatDate function as in the latest version and add a call to it within the access checks block."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/anuko/timetracker/security/advisories/GHSA-g9cc-m4p4-6xpc",
"refsource": "CONFIRM",
"url": "https://github.com/anuko/timetracker/security/advisories/GHSA-g9cc-m4p4-6xpc"
}
]
},
"source": {
"advisory": "GHSA-g9cc-m4p4-6xpc",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-41156",
"datePublished": "2021-10-18T21:10:10.000Z",
"dateReserved": "2021-09-15T00:00:00.000Z",
"dateUpdated": "2024-08-04T02:59:31.630Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-41139 (GCVE-0-2021-41139)
Vulnerability from cvelistv5 – Published: 2021-10-13 17:10 – Updated: 2024-08-04 02:59
VLAI?
Title
Reflected XSS vulnerability in time.php
Summary
Anuko Time Tracker is an open source, web-based time tracking application written in PHP. When a logged on user selects a date in Time Tracker, it is being passed on via the date parameter in URI. Because of not checking this parameter for sanity in versions prior to 1.19.30.5600, it was possible to craft the URI with malicious JavaScript, use social engineering to convince logged on user to click on such link, and have the attacker-supplied JavaScript to be executed in user's browser. This issue is patched in version 1.19.30.5600. As a workaround, one may introduce `ttValidDbDateFormatDate` function as in the latest version and add a call to it within the access checks block in time.php.
Severity ?
8.1 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| anuko | timetracker |
Affected:
< 1.19.30.5600
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T02:59:31.435Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/anuko/timetracker/security/advisories/GHSA-h2v8-87c9-86cw"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/anuko/timetracker/commit/559906731f153c9b3a632c2839ed11669b76d593"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/anuko/timetracker/commit/d3f60bd3e3ea8ff8ec31a596baec6750af601b7c"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "timetracker",
"vendor": "anuko",
"versions": [
{
"status": "affected",
"version": "\u003c 1.19.30.5600"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Anuko Time Tracker is an open source, web-based time tracking application written in PHP. When a logged on user selects a date in Time Tracker, it is being passed on via the date parameter in URI. Because of not checking this parameter for sanity in versions prior to 1.19.30.5600, it was possible to craft the URI with malicious JavaScript, use social engineering to convince logged on user to click on such link, and have the attacker-supplied JavaScript to be executed in user\u0027s browser. This issue is patched in version 1.19.30.5600. As a workaround, one may introduce `ttValidDbDateFormatDate` function as in the latest version and add a call to it within the access checks block in time.php."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-13T17:10:10.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/anuko/timetracker/security/advisories/GHSA-h2v8-87c9-86cw"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/anuko/timetracker/commit/559906731f153c9b3a632c2839ed11669b76d593"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/anuko/timetracker/commit/d3f60bd3e3ea8ff8ec31a596baec6750af601b7c"
}
],
"source": {
"advisory": "GHSA-h2v8-87c9-86cw",
"discovery": "UNKNOWN"
},
"title": "Reflected XSS vulnerability in time.php",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-41139",
"STATE": "PUBLIC",
"TITLE": "Reflected XSS vulnerability in time.php"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "timetracker",
"version": {
"version_data": [
{
"version_value": "\u003c 1.19.30.5600"
}
]
}
}
]
},
"vendor_name": "anuko"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Anuko Time Tracker is an open source, web-based time tracking application written in PHP. When a logged on user selects a date in Time Tracker, it is being passed on via the date parameter in URI. Because of not checking this parameter for sanity in versions prior to 1.19.30.5600, it was possible to craft the URI with malicious JavaScript, use social engineering to convince logged on user to click on such link, and have the attacker-supplied JavaScript to be executed in user\u0027s browser. This issue is patched in version 1.19.30.5600. As a workaround, one may introduce `ttValidDbDateFormatDate` function as in the latest version and add a call to it within the access checks block in time.php."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/anuko/timetracker/security/advisories/GHSA-h2v8-87c9-86cw",
"refsource": "CONFIRM",
"url": "https://github.com/anuko/timetracker/security/advisories/GHSA-h2v8-87c9-86cw"
},
{
"name": "https://github.com/anuko/timetracker/commit/559906731f153c9b3a632c2839ed11669b76d593",
"refsource": "MISC",
"url": "https://github.com/anuko/timetracker/commit/559906731f153c9b3a632c2839ed11669b76d593"
},
{
"name": "https://github.com/anuko/timetracker/commit/d3f60bd3e3ea8ff8ec31a596baec6750af601b7c",
"refsource": "MISC",
"url": "https://github.com/anuko/timetracker/commit/d3f60bd3e3ea8ff8ec31a596baec6750af601b7c"
}
]
},
"source": {
"advisory": "GHSA-h2v8-87c9-86cw",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-41139",
"datePublished": "2021-10-13T17:10:10.000Z",
"dateReserved": "2021-09-15T00:00:00.000Z",
"dateUpdated": "2024-08-04T02:59:31.435Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-29436 (GCVE-0-2021-29436)
Vulnerability from cvelistv5 – Published: 2021-04-13 17:20 – Updated: 2024-08-03 22:02
VLAI?
Title
Cross site request forgery vulnerability
Summary
Anuko Time Tracker is an open source, web-based time tracking application written in PHP. In Time Tracker before version 1.19.27.5431 a Cross site request forgery (CSRF) vulnerability existed. The nature of CSRF is that a logged on user may be tricked by social engineering to click on an attacker-provided form that executes an unintended action such as changing user password. The vulnerability is fixed in Time Tracker version 1.19.27.5431. Upgrade is recommended. If upgrade is not practical, introduce ttMitigateCSRF() function in /WEB-INF/lib/common.php.lib using the latest available code and call it from ttAccessAllowed().
Severity ?
5.4 (Medium)
CWE
- CWE-352 - {"CWE-352":"Cross-Site Request Forgery (CSRF)"}
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| anuko | timetracker |
Affected:
< 1.19.27.5431
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T22:02:51.962Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/anuko/timetracker/security/advisories/GHSA-pgpx-rfvj-9g4f"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/anuko/timetracker/commit/e3f8222ee308322942bcebcd86b78ecf19382563"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/anuko/timetracker/commit/e77be7eea69df5d52e19f9f25b5b89a0e66a5b8e"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "timetracker",
"vendor": "anuko",
"versions": [
{
"status": "affected",
"version": "\u003c 1.19.27.5431"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Anuko Time Tracker is an open source, web-based time tracking application written in PHP. In Time Tracker before version 1.19.27.5431 a Cross site request forgery (CSRF) vulnerability existed. The nature of CSRF is that a logged on user may be tricked by social engineering to click on an attacker-provided form that executes an unintended action such as changing user password. The vulnerability is fixed in Time Tracker version 1.19.27.5431. Upgrade is recommended. If upgrade is not practical, introduce ttMitigateCSRF() function in /WEB-INF/lib/common.php.lib using the latest available code and call it from ttAccessAllowed()."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "{\"CWE-352\":\"Cross-Site Request Forgery (CSRF)\"}",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-13T17:20:14.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/anuko/timetracker/security/advisories/GHSA-pgpx-rfvj-9g4f"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/anuko/timetracker/commit/e3f8222ee308322942bcebcd86b78ecf19382563"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/anuko/timetracker/commit/e77be7eea69df5d52e19f9f25b5b89a0e66a5b8e"
}
],
"source": {
"advisory": "GHSA-pgpx-rfvj-9g4f",
"discovery": "UNKNOWN"
},
"title": "Cross site request forgery vulnerability",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-29436",
"STATE": "PUBLIC",
"TITLE": "Cross site request forgery vulnerability"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "timetracker",
"version": {
"version_data": [
{
"version_value": "\u003c 1.19.27.5431"
}
]
}
}
]
},
"vendor_name": "anuko"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Anuko Time Tracker is an open source, web-based time tracking application written in PHP. In Time Tracker before version 1.19.27.5431 a Cross site request forgery (CSRF) vulnerability existed. The nature of CSRF is that a logged on user may be tricked by social engineering to click on an attacker-provided form that executes an unintended action such as changing user password. The vulnerability is fixed in Time Tracker version 1.19.27.5431. Upgrade is recommended. If upgrade is not practical, introduce ttMitigateCSRF() function in /WEB-INF/lib/common.php.lib using the latest available code and call it from ttAccessAllowed()."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "{\"CWE-352\":\"Cross-Site Request Forgery (CSRF)\"}"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/anuko/timetracker/security/advisories/GHSA-pgpx-rfvj-9g4f",
"refsource": "CONFIRM",
"url": "https://github.com/anuko/timetracker/security/advisories/GHSA-pgpx-rfvj-9g4f"
},
{
"name": "https://github.com/anuko/timetracker/commit/e3f8222ee308322942bcebcd86b78ecf19382563",
"refsource": "MISC",
"url": "https://github.com/anuko/timetracker/commit/e3f8222ee308322942bcebcd86b78ecf19382563"
},
{
"name": "https://github.com/anuko/timetracker/commit/e77be7eea69df5d52e19f9f25b5b89a0e66a5b8e",
"refsource": "MISC",
"url": "https://github.com/anuko/timetracker/commit/e77be7eea69df5d52e19f9f25b5b89a0e66a5b8e"
}
]
},
"source": {
"advisory": "GHSA-pgpx-rfvj-9g4f",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-29436",
"datePublished": "2021-04-13T17:20:14.000Z",
"dateReserved": "2021-03-30T00:00:00.000Z",
"dateUpdated": "2024-08-03T22:02:51.962Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-21352 (GCVE-0-2021-21352)
Vulnerability from cvelistv5 – Published: 2021-03-03 00:20 – Updated: 2024-08-03 18:09
VLAI?
Title
Predictable tokens used for password resets
Summary
Anuko Time Tracker is an open source, web-based time tracking application written in PHP. In TimeTracker before version 1.19.24.5415 tokens used in password reset feature in Time Tracker are based on system time and, therefore, are predictable. This opens a window for brute force attacks to guess user tokens and, once successful, change user passwords, including that of a system administrator. This vulnerability is pathced in version 1.19.24.5415 (started to use more secure tokens) with an additional improvement in 1.19.24.5416 (limited an available window for brute force token guessing).
Severity ?
6.8 (Medium)
CWE
- CWE-330 - Use of Insufficiently Random Values
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| anuko | timetracker |
Affected:
< 1.19.24.5415
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:09:15.965Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.anuko.com/time-tracker/index.htm"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/anuko/timetracker/security/advisories/GHSA-43c9-rx4h-4gqq"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/anuko/timetracker/commit/40f3d9345adc20e6f28eb9f59e2489aff87fecf5"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "timetracker",
"vendor": "anuko",
"versions": [
{
"status": "affected",
"version": "\u003c 1.19.24.5415"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Anuko Time Tracker is an open source, web-based time tracking application written in PHP. In TimeTracker before version 1.19.24.5415 tokens used in password reset feature in Time Tracker are based on system time and, therefore, are predictable. This opens a window for brute force attacks to guess user tokens and, once successful, change user passwords, including that of a system administrator. This vulnerability is pathced in version 1.19.24.5415 (started to use more secure tokens) with an additional improvement in 1.19.24.5416 (limited an available window for brute force token guessing)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-330",
"description": "CWE-330: Use of Insufficiently Random Values",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-03-03T00:20:16.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.anuko.com/time-tracker/index.htm"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/anuko/timetracker/security/advisories/GHSA-43c9-rx4h-4gqq"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/anuko/timetracker/commit/40f3d9345adc20e6f28eb9f59e2489aff87fecf5"
}
],
"source": {
"advisory": "GHSA-43c9-rx4h-4gqq",
"discovery": "UNKNOWN"
},
"title": "Predictable tokens used for password resets",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-21352",
"STATE": "PUBLIC",
"TITLE": "Predictable tokens used for password resets"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "timetracker",
"version": {
"version_data": [
{
"version_value": "\u003c 1.19.24.5415"
}
]
}
}
]
},
"vendor_name": "anuko"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Anuko Time Tracker is an open source, web-based time tracking application written in PHP. In TimeTracker before version 1.19.24.5415 tokens used in password reset feature in Time Tracker are based on system time and, therefore, are predictable. This opens a window for brute force attacks to guess user tokens and, once successful, change user passwords, including that of a system administrator. This vulnerability is pathced in version 1.19.24.5415 (started to use more secure tokens) with an additional improvement in 1.19.24.5416 (limited an available window for brute force token guessing)."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-330: Use of Insufficiently Random Values"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.anuko.com/time-tracker/index.htm",
"refsource": "MISC",
"url": "https://www.anuko.com/time-tracker/index.htm"
},
{
"name": "https://github.com/anuko/timetracker/security/advisories/GHSA-43c9-rx4h-4gqq",
"refsource": "CONFIRM",
"url": "https://github.com/anuko/timetracker/security/advisories/GHSA-43c9-rx4h-4gqq"
},
{
"name": "https://github.com/anuko/timetracker/commit/40f3d9345adc20e6f28eb9f59e2489aff87fecf5",
"refsource": "MISC",
"url": "https://github.com/anuko/timetracker/commit/40f3d9345adc20e6f28eb9f59e2489aff87fecf5"
}
]
},
"source": {
"advisory": "GHSA-43c9-rx4h-4gqq",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-21352",
"datePublished": "2021-03-03T00:20:16.000Z",
"dateReserved": "2020-12-22T00:00:00.000Z",
"dateUpdated": "2024-08-03T18:09:15.965Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-27422 (GCVE-0-2020-27422)
Vulnerability from cvelistv5 – Published: 2020-11-16 15:49 – Updated: 2024-08-04 16:18
VLAI?
Summary
In Anuko Time Tracker v1.19.23.5311, the password reset link emailed to the user doesn't expire once used, allowing an attacker to use the same link to takeover the account.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T16:18:44.244Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.anuko.com/time-tracker/index.htm"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://packetstormsecurity.com/files/160051/Anuko-Time-Tracker-1.19.23.5311-Password-Reset.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Anuko Time Tracker v1.19.23.5311, the password reset link emailed to the user doesn\u0027t expire once used, allowing an attacker to use the same link to takeover the account."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-11-16T15:49:10.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.anuko.com/time-tracker/index.htm"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://packetstormsecurity.com/files/160051/Anuko-Time-Tracker-1.19.23.5311-Password-Reset.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-27422",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Anuko Time Tracker v1.19.23.5311, the password reset link emailed to the user doesn\u0027t expire once used, allowing an attacker to use the same link to takeover the account."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.anuko.com/time-tracker/index.htm",
"refsource": "MISC",
"url": "https://www.anuko.com/time-tracker/index.htm"
},
{
"name": "https://packetstormsecurity.com/files/160051/Anuko-Time-Tracker-1.19.23.5311-Password-Reset.html",
"refsource": "MISC",
"url": "https://packetstormsecurity.com/files/160051/Anuko-Time-Tracker-1.19.23.5311-Password-Reset.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-27422",
"datePublished": "2020-11-16T15:49:10.000Z",
"dateReserved": "2020-10-21T00:00:00.000Z",
"dateUpdated": "2024-08-04T16:18:44.244Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-27423 (GCVE-0-2020-27423)
Vulnerability from cvelistv5 – Published: 2020-11-16 15:45 – Updated: 2024-08-04 16:18
VLAI?
Summary
Anuko Time Tracker v1.19.23.5311 lacks rate limit on the password reset module which allows attacker to perform Denial of Service attack on any legitimate user's mailbox
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T16:18:43.474Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://packetstormsecurity.com/files/160052/Anuko-Time-Tracker-1.19.23.5311-Missing-Rate-Limiting.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Anuko Time Tracker v1.19.23.5311 lacks rate limit on the password reset module which allows attacker to perform Denial of Service attack on any legitimate user\u0027s mailbox"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-11-16T15:45:52.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://packetstormsecurity.com/files/160052/Anuko-Time-Tracker-1.19.23.5311-Missing-Rate-Limiting.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-27423",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Anuko Time Tracker v1.19.23.5311 lacks rate limit on the password reset module which allows attacker to perform Denial of Service attack on any legitimate user\u0027s mailbox"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://packetstormsecurity.com/files/160052/Anuko-Time-Tracker-1.19.23.5311-Missing-Rate-Limiting.html",
"refsource": "MISC",
"url": "https://packetstormsecurity.com/files/160052/Anuko-Time-Tracker-1.19.23.5311-Missing-Rate-Limiting.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-27423",
"datePublished": "2020-11-16T15:45:52.000Z",
"dateReserved": "2020-10-21T00:00:00.000Z",
"dateUpdated": "2024-08-04T16:18:43.474Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-15255 (GCVE-0-2020-15255)
Vulnerability from cvelistv5 – Published: 2020-10-16 16:20 – Updated: 2024-08-04 13:08
VLAI?
Title
CSV injection in Anuko Time Tracker
Summary
In Anuko Time Tracker before verion 1.19.23.5325, due to not properly filtered user input a CSV export of a report could contain cells that are treated as formulas by spreadsheet software (for example, when a cell value starts with an equal sign). This is fixed in version 1.19.23.5325.
Severity ?
8.7 (High)
CWE
- CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| anuko | timetracker |
Affected:
< 1.19.23.5325
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:08:23.253Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/anuko/timetracker/security/advisories/GHSA-prjf-9mgh-8fpv"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/anuko/timetracker/commit/d9472904361495f318c9d0294ffd28acaaeae42f"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/159996/Anuko-Time-Tracker-1.19.23.5325-CSV-Injection.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/49027"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "timetracker",
"vendor": "anuko",
"versions": [
{
"status": "affected",
"version": "\u003c 1.19.23.5325"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Anuko Time Tracker before verion 1.19.23.5325, due to not properly filtered user input a CSV export of a report could contain cells that are treated as formulas by spreadsheet software (for example, when a cell value starts with an equal sign). This is fixed in version 1.19.23.5325."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-11-16T00:45:40.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/anuko/timetracker/security/advisories/GHSA-prjf-9mgh-8fpv"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/anuko/timetracker/commit/d9472904361495f318c9d0294ffd28acaaeae42f"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/159996/Anuko-Time-Tracker-1.19.23.5325-CSV-Injection.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.exploit-db.com/exploits/49027"
}
],
"source": {
"advisory": "GHSA-prjf-9mgh-8fpv",
"discovery": "UNKNOWN"
},
"title": "CSV injection in Anuko Time Tracker",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-15255",
"STATE": "PUBLIC",
"TITLE": "CSV injection in Anuko Time Tracker"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "timetracker",
"version": {
"version_data": [
{
"version_value": "\u003c 1.19.23.5325"
}
]
}
}
]
},
"vendor_name": "anuko"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Anuko Time Tracker before verion 1.19.23.5325, due to not properly filtered user input a CSV export of a report could contain cells that are treated as formulas by spreadsheet software (for example, when a cell value starts with an equal sign). This is fixed in version 1.19.23.5325."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/anuko/timetracker/security/advisories/GHSA-prjf-9mgh-8fpv",
"refsource": "CONFIRM",
"url": "https://github.com/anuko/timetracker/security/advisories/GHSA-prjf-9mgh-8fpv"
},
{
"name": "https://github.com/anuko/timetracker/commit/d9472904361495f318c9d0294ffd28acaaeae42f",
"refsource": "MISC",
"url": "https://github.com/anuko/timetracker/commit/d9472904361495f318c9d0294ffd28acaaeae42f"
},
{
"name": "http://packetstormsecurity.com/files/159996/Anuko-Time-Tracker-1.19.23.5325-CSV-Injection.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/159996/Anuko-Time-Tracker-1.19.23.5325-CSV-Injection.html"
},
{
"name": "https://www.exploit-db.com/exploits/49027",
"refsource": "MISC",
"url": "https://www.exploit-db.com/exploits/49027"
}
]
},
"source": {
"advisory": "GHSA-prjf-9mgh-8fpv",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-15255",
"datePublished": "2020-10-16T16:20:16.000Z",
"dateReserved": "2020-06-25T00:00:00.000Z",
"dateUpdated": "2024-08-04T13:08:23.253Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}