Lucene search

GitHub_MCVELIST:CVE-2022-24708

HistoryFeb 23, 2022 - 11:50 p.m.

CVE-2022-24708 Stored XSS vulnerability in anuko/timetracker

2022-02-2323:50:09

CWE-79

GitHub_M

www.cve.org

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

0.001 Low

EPSS

Percentile

19.4%

JSON

Anuko Time Tracker is an open source, web-based time tracking application written in PHP. ttUser.class.php in Time Tracker versions prior to 1.20.0.5646 was not escaping primary group name for display. Because of that, it was possible for a logged in user to modify primary group name with elements of JavaScript. Such script could then be executed in user browser on subsequent requests on pages where primary group name was displayed. This is vulnerability has been fixed in version 1.20.0.5646. Users who are unable to upgrade may modify ttUser.class.php to use an additional call to htmlspecialchars when printing group name.

CNA Affected

[
  {
    "product": "timetracker",
    "vendor": "anuko",
    "versions": [
      {
        "status": "affected",
        "version": "< 1.20.0.5646"
      }
    ]
  }
]

References

github.com/anuko/timetracker/commit/6aaad31630500d13b6c8459daa9f406fd5eb4330

github.com/anuko/timetracker/security/advisories/GHSA-rgcm-xgvj-5mqh