Lucene search

GoogleOSV:CVE-2023-32066

HistoryMay 09, 2023 - 4:15 p.m.

CVE-2023-32066

2023-05-0916:15:15

Google

osv.dev

time tracker

week view plugin

vulnerability

javascript execution

versions 1.22.11.5782

security

fix

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

6.7 Medium

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

40.6%

JSON

Time Tracker is an open source time tracking system. The week view plugin in Time Tracker versions 1.22.11.5782 and prior was not escaping titles for notes in week view table. Because of that, it was possible for a logged in user to enter notes with elements of JavaScript. Such script could then be executed in user browser on subsequent requests to week view. This issue is fixed in version 1.22.12.5783. As a workaround, use htmlspecialchars when calling $field->setTitle on line #245 in the week.php file, as happens in version 1.22.12.5783.

References

github.com/anuko/timetracker/commit/093cfe158099704ffd4a1624be217f9935e914eb

github.com/anuko/timetracker/security/advisories/GHSA-jw2g-8wvp-9frw