CVE-2023-32066

Time Tracker is an open source time tracking system. The week view plugin in Time Tracker versions 1.22.11.5782 and prior was not escaping titles for notes in week view table. Because of that, it was possible for a logged in user to enter notes with elements of JavaScript. Such script could then be executed in user browser on subsequent requests to week view. This issue is fixed in version 1.22.12.5783. As a workaround, use `htmlspecialchars` when calling `$field->setTitle` on line #245 in the `week.php` file, as happens in version 1.22.12.5783.
Configurations

Configuration 1 (hide)

cpe:2.3:a:anuko:time_tracker:*:*:*:*:*:*:*:*

History

21 Nov 2024, 08:02

Type Values Removed Values Added
References () https://github.com/anuko/timetracker/commit/093cfe158099704ffd4a1624be217f9935e914eb - Patch () https://github.com/anuko/timetracker/commit/093cfe158099704ffd4a1624be217f9935e914eb - Patch
References () https://github.com/anuko/timetracker/security/advisories/GHSA-jw2g-8wvp-9frw - Third Party Advisory () https://github.com/anuko/timetracker/security/advisories/GHSA-jw2g-8wvp-9frw - Third Party Advisory

17 May 2023, 13:57

Type Values Removed Values Added
CPE cpe:2.3:a:anuko:time_tracker:*:*:*:*:*:*:*:*
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 5.4
References (MISC) https://github.com/anuko/timetracker/security/advisories/GHSA-jw2g-8wvp-9frw - (MISC) https://github.com/anuko/timetracker/security/advisories/GHSA-jw2g-8wvp-9frw - Third Party Advisory
References (MISC) https://github.com/anuko/timetracker/commit/093cfe158099704ffd4a1624be217f9935e914eb - (MISC) https://github.com/anuko/timetracker/commit/093cfe158099704ffd4a1624be217f9935e914eb - Patch

09 May 2023, 17:36

Type Values Removed Values Added
New CVE

Information

Published : 2023-05-09 16:15

Updated : 2024-11-21 08:02


NVD link : CVE-2023-32066

Mitre link : CVE-2023-32066

CVE.ORG link : CVE-2023-32066


JSON object : View

Products Affected

anuko

  • time_tracker
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')