CVE-2023-32066
5.4
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
Time Tracker is an open source time tracking system. The week view plugin in Time Tracker versions 1.22.11.5782 and prior was not escaping titles for notes in week view table. Because of that, it was possible for a logged in user to enter notes with elements of JavaScript. Such script could then be executed in user browser on subsequent requests to week view. This issue is fixed in version 1.22.12.5783. As a workaround, use htmlspecialchars when calling $field->setTitle on line #245 in the week.php file, as happens in version 1.22.12.5783.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| anuko | timetracker | < 1.22.12.5783 | affected |
Weaknesses
- CWE-79: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/anuko/timetracker/security/advisories/GHSA-jw2g-8wvp-9frw
- https://github.com/anuko/timetracker/commit/093cfe158099704ffd4a1624be217f9935e914eb
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://github.com/anuko/timetracker/security/advisories/GHSA-jw2g-8wvp-9frw
- https://github.com/anuko/timetracker/commit/093cfe158099704ffd4a1624be217f9935e914eb
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.