Anuko Time Tracker is an open source, web-based time tracking application written in PHP. SQL injection vulnerability exist in multiple files in Time Tracker version 1.19.33.5606 and prior due to not properly checking of the "group" and "status" parameters in POST requests. Group parameter is posted along when navigating between organizational subgroups (groups.php file). Status parameter is used in multiple files to change a status of an entity such as making a project, task, or user inactive. This issue has been patched in version 1.19.33.5607. An upgrade is highly recommended. If an upgrade is not practical, introduce ttValidStatus function as in the latest version and start using it user input check blocks wherever status field is used. For groups.php fix, introduce ttValidInteger function as in the latest version and use it in the access check block in the file.
References
Link | Resource |
---|---|
https://github.com/anuko/timetracker/commit/0cf32f1046418aa2e5218b0b370064820c330c6a | Patch Third Party Advisory |
https://github.com/anuko/timetracker/commit/94fda0cc0c9c20ab98d38ccc75ff040d13dc7f1b | Patch Third Party Advisory |
https://github.com/anuko/timetracker/security/advisories/GHSA-wx6x-6rq3-pqcc | Third Party Advisory |
https://github.com/anuko/timetracker/commit/0cf32f1046418aa2e5218b0b370064820c330c6a | Patch Third Party Advisory |
https://github.com/anuko/timetracker/commit/94fda0cc0c9c20ab98d38ccc75ff040d13dc7f1b | Patch Third Party Advisory |
https://github.com/anuko/timetracker/security/advisories/GHSA-wx6x-6rq3-pqcc | Third Party Advisory |
Configurations
History
21 Nov 2024, 06:29
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : 6.5
v3 : 8.1 |
References | () https://github.com/anuko/timetracker/commit/0cf32f1046418aa2e5218b0b370064820c330c6a - Patch, Third Party Advisory | |
References | () https://github.com/anuko/timetracker/commit/94fda0cc0c9c20ab98d38ccc75ff040d13dc7f1b - Patch, Third Party Advisory | |
References | () https://github.com/anuko/timetracker/security/advisories/GHSA-wx6x-6rq3-pqcc - Third Party Advisory |
28 Dec 2021, 14:58
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:anuko:time_tracker:*:*:*:*:*:*:*:* | |
CVSS |
v2 : v3 : |
v2 : 6.5
v3 : 8.8 |
References | (MISC) https://github.com/anuko/timetracker/commit/94fda0cc0c9c20ab98d38ccc75ff040d13dc7f1b - Patch, Third Party Advisory | |
References | (MISC) https://github.com/anuko/timetracker/commit/0cf32f1046418aa2e5218b0b370064820c330c6a - Patch, Third Party Advisory | |
References | (CONFIRM) https://github.com/anuko/timetracker/security/advisories/GHSA-wx6x-6rq3-pqcc - Third Party Advisory |
22 Dec 2021, 00:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2021-12-22 00:15
Updated : 2024-11-21 06:29
NVD link : CVE-2021-43851
Mitre link : CVE-2021-43851
CVE.ORG link : CVE-2021-43851
JSON object : View
Products Affected
anuko
- time_tracker
CWE
CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')