12 matches found
CVE-2022-24708
The CVE-2022-24708 entry describes a Stored XSS vulnerability in Anuko Time Tracker. The issue occurs in ttUser.class.php where the primary group name was not escaped for display, allowing a logged-in user to inject JavaScript that could execute in their browser on pages displaying the group name...
CVE-2022-24707
CVE-2022-24707 affects Anuko Time Tracker’s Puncher plugin, with an unsanitized date parameter in POST requests enabling SQL injection vulnerabilities (Union-based and time-based blind) in versions prior to 1.20.0.5642. The issue arises from reusing code and unvalidated input, allowing crafted PO...
CVE-2020-27422
CVE-2020-27422 affects Anuko Time Tracker v1.19.23.5311, where the password reset link sent by email does not expire after use, enabling an attacker to reuse the same link to take over a victim’s account. The vulnerability is evidenced in multiple sources (including exploit reports) and is mitiga...
CVE-2021-21352
Anuko Time Tracker (PHP) before version 1.19.24.5415 uses time-based tokens in the password-reset feature, enabling brute-force guessing to change user passwords (including admin). The issue is addressed in 1.19.24.5415 (better tokens) and further limited in 1.19.24.5416 with a reduced brute-forc...
CVE-2021-43851
CVE-2021-43851 concerns the Anuko Time Tracker PHP application. The connected documents confirm a SQL injection in multiple files, stemming from improper validation of the group and status parameters in POST requests (notably in groups.php). The vulnerability affects Time Tracker version 1.19.33....
CVE-2020-15255
CVE-2020-15255 affects Anuko Time Tracker prior to 1.19.23.5325, where a CSV export of a report could contain cells treated as formulas due to insufficient input filtering (CSV/Formula Injection). The underlying vulnerability is the lack of proper filtering of user input in exports, which could a...
CVE-2023-32308
The CVE-2023-32308 entry concerns anuko timetracker, an open-source time-tracking system. A Boolean-based blind SQL injection existed in Time Tracker’s invoices.php for versions prior to 1.22.11.5781, caused by a coding error after validating POST parameters and lack of an error check before adju...
CVE-2020-27423
This CVE affects Anuko Time Tracker v1.19.23.5311, where the password-reset module lacks rate limiting, enabling a Denial of Service against any legitimate user’s mailbox. The root cause is an absence of rate limiting on the password reset flow. Public references indicate an exploit exists and de...
CVE-2021-41139
Anuko Time Tracker (PHP) suffers a reflected XSS in time.php via the date URI parameter, exploitable before patch in 1.19.30.5600. An attacker could persuade a logged-in user to click a crafted link, causing attacker-supplied JavaScript to execute in the user’s browser. Remediated in version 1.19...
CVE-2023-32066
Time Tracker’s Week View plugin (versions setTitle call in week.php (line ~245) as implemented in 1.22.12.5783. Affected products include Anuko Time Tracker; no exploitation status is provided in the documents. Recommended remediation: upgrade to 1.22.12.5783 or newer to mitigate the vulnerabilit...
CVE-2021-29436
CVE-2021-29436 affects Anuko Time Tracker (PHP, web-based). Before version 1.19.27.5431 a Cross-Site Request Forgery (CSRF) vulnerability allowed a logged-in user to be tricked into performing unintended actions (e.g., changing a password) via a forged request. The issue is fixed in Time Tracker ...
CVE-2023-32306
Time Tracker vulnerability CVE-2023-32306 exists in the Reports feature (reports.php) of Time Tracker prior to version 1.22.13.5792. A time-based blind SQL injection arises because several POST parameters aren’t properly validated, enabling crafted requests to inject SQL into the Time Tracker dat...