Lucene search

[email protected]NVD:CVE-2023-32066

HistoryMay 09, 2023 - 4:15 p.m.

CVE-2023-32066

2023-05-0916:15:15

CWE-79

[email protected]

web.nvd.nist.gov

time tracker

javascript injection

week view table

version 1.22.11.5782

version 1.22.12.5783

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

40.6%

JSON

Time Tracker is an open source time tracking system. The week view plugin in Time Tracker versions 1.22.11.5782 and prior was not escaping titles for notes in week view table. Because of that, it was possible for a logged in user to enter notes with elements of JavaScript. Such script could then be executed in user browser on subsequent requests to week view. This issue is fixed in version 1.22.12.5783. As a workaround, use htmlspecialchars when calling $field->setTitle on line #245 in the week.php file, as happens in version 1.22.12.5783.

Affected configurations

NVD

Node

anukotime_trackerRange<1.22.12.5783

References

github.com/anuko/timetracker/commit/093cfe158099704ffd4a1624be217f9935e914eb

github.com/anuko/timetracker/security/advisories/GHSA-jw2g-8wvp-9frw