Lucene search

GitHub_MCVELIST:CVE-2021-41156

HistoryOct 18, 2021 - 9:10 p.m.

CVE-2021-41156 Reflected XSS vulnerability

2021-10-1821:10:10

CWE-79

GitHub_M

www.cve.org

cve-2021-41156

reflected xss

open source

time tracking

security vulnerability

browser_today

social engineering

javascript

patched

upgrade

function

access checks

CVSS3

6.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N

EPSS

0.001

Percentile

22.7%

JSON

anuko/timetracker is an, open source time tracking system. In affected versions Time Tracker uses browser_today hidden control on a few pages to collect the today’s date from user browsers. Because of not checking this parameter for sanity in versions prior to 1.19.30.5601, it was possible to craft an html form with malicious JavaScript, use social engineering to convince logged on users to execute a POST from such form, and have the attacker-supplied JavaScript to be executed in user’s browser. This has been patched in version 1.19.30.5600. Upgrade is recommended. If it is not practical, introduce ttValidDbDateFormatDate function as in the latest version and add a call to it within the access checks block.

CNA Affected

[
  {
    "product": "timetracker",
    "vendor": "anuko",
    "versions": [
      {
        "status": "affected",
        "version": "< 1.19.30.5601"
      }
    ]
  }
]

References

github.com/anuko/timetracker/security/advisories/GHSA-g9cc-m4p4-6xpc

CVSS3

6.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N

EPSS

0.001

Percentile

22.7%

JSON

Related for CVELIST:CVE-2021-41156