Lucene search

GitHub_MCVELIST:CVE-2023-32308

HistoryMay 15, 2023 - 8:47 p.m.

CVE-2023-32308 SQL Injection Vulnerability in anuko timetracker

2023-05-1520:47:06

CWE-89

GitHub_M

www.cve.org

anuko timetracker

sql injection

security issue

version 1.22.11.5781

upgrade

database protection

post requests

coding error

ttgrouphelper

8.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L

0.002 Low

EPSS

Percentile

56.5%

JSON

anuko timetracker is an open source time tracking system. Boolean-based blind SQL injection vulnerability existed in Time Tracker invoices.php in versions prior to 1.22.11.5781. This was happening because of a coding error after validating parameters in POST requests. There was no check for errors before adjusting invoice sorting order. Because of this, it was possible to craft a POST request with malicious SQL for Time Tracker database. This issue has been fixed in version 1.22.11.5781. Users are advised to upgrade. Users unable to upgrade may insert an additional check for errors in a condition before calling ttGroupHelper::getActiveInvoices() in invoices.php.

CNA Affected

[
  {
    "vendor": "anuko",
    "product": "timetracker",
    "versions": [
      {
        "version": "< 1.22.11.5781",
        "status": "affected"
      }
    ]
  }
]

References

github.com/anuko/timetracker/commit/8a7367d7f77ea697c090f5ca4e19669181cc7bcf

github.com/anuko/timetracker/security/advisories/GHSA-9g2c-7c7g-p58r

8.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L

0.002 Low

EPSS

Percentile

56.5%

JSON

Related for CVELIST:CVE-2023-32308