CVE-2023-32308
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L
Summary
anuko timetracker is an open source time tracking system. Boolean-based blind SQL injection vulnerability existed in Time Tracker invoices.php in versions prior to 1.22.11.5781. This was happening because of a coding error after validating parameters in POST requests. There was no check for errors before adjusting invoice sorting order. Because of this, it was possible to craft a POST request with malicious SQL for Time Tracker database. This issue has been fixed in version 1.22.11.5781. Users are advised to upgrade. Users unable to upgrade may insert an additional check for errors in a condition before calling ttGroupHelper::getActiveInvoices() in invoices.php.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| anuko | timetracker | < 1.22.11.5781 | affected |
Weaknesses
- CWE-89: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/anuko/timetracker/security/advisories/GHSA-9g2c-7c7g-p58r
- https://github.com/anuko/timetracker/commit/8a7367d7f77ea697c090f5ca4e19669181cc7bcf
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: partial
References
- https://github.com/anuko/timetracker/security/advisories/GHSA-9g2c-7c7g-p58r
- https://github.com/anuko/timetracker/commit/8a7367d7f77ea697c090f5ca4e19669181cc7bcf
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.