Lucene search

[email protected]CVE-2023-32066

HistoryMay 09, 2023 - 4:15 p.m.

CVE-2023-32066

2023-05-0916:15:15

CWE-79

[email protected]

web.nvd.nist.gov

time tracker

cve-2023-32066

xss

open source

time tracking

nvd

security vulnerability

1.22.11.5782

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

5.1 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

40.6%

JSON

Time Tracker is an open source time tracking system. The week view plugin in Time Tracker versions 1.22.11.5782 and prior was not escaping titles for notes in week view table. Because of that, it was possible for a logged in user to enter notes with elements of JavaScript. Such script could then be executed in user browser on subsequent requests to week view. This issue is fixed in version 1.22.12.5783. As a workaround, use htmlspecialchars when calling $field->setTitle on line #245 in the week.php file, as happens in version 1.22.12.5783.

Affected configurations

Vulners

NVD

Node

anukotime_trackerRange<1.22.12.5783

VendorProductVersionCPE
anukotime_tracker*cpe:2.3:a:anuko:time_tracker:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
anuko	time_tracker	*	cpe:2.3:a:anuko:time_tracker::::::::

CNA Affected

[
  {
    "vendor": "anuko",
    "product": "timetracker",
    "versions": [
      {
        "version": "< 1.22.12.5783",
        "status": "affected"
      }
    ]
  }
]

References

github.com/anuko/timetracker/commit/093cfe158099704ffd4a1624be217f9935e914eb

github.com/anuko/timetracker/security/advisories/GHSA-jw2g-8wvp-9frw