Lucene search
K
AnukoTime Tracker

12 matches found

CVE
CVE
added 2022/02/23 11:50 p.m.110 views

CVE-2022-24708

The CVE-2022-24708 entry describes a Stored XSS vulnerability in Anuko Time Tracker. The issue occurs in ttUser.class.php where the primary group name was not escaped for display, allowing a logged-in user to inject JavaScript that could execute in their browser on pages displaying the group name...

6.5CVSS5.5AI score0.00544EPSS
CVE
CVE
added 2022/02/23 11:50 p.m.96 views

CVE-2022-24707

CVE-2022-24707 affects Anuko Time Tracker’s Puncher plugin, with an unsanitized date parameter in POST requests enabling SQL injection vulnerabilities (Union-based and time-based blind) in versions prior to 1.20.0.5642. The issue arises from reusing code and unvalidated input, allowing crafted PO...

8.8CVSS8.7AI score0.07159EPSS
CVE
CVE
added 2020/11/16 3:49 p.m.70 views

CVE-2020-27422

CVE-2020-27422 affects Anuko Time Tracker v1.19.23.5311, where the password reset link sent by email does not expire after use, enabling an attacker to reuse the same link to take over a victim’s account. The vulnerability is evidenced in multiple sources (including exploit reports) and is mitiga...

9.8CVSS9.4AI score0.07764EPSS
CVE
CVE
added 2021/03/03 12:20 a.m.63 views

CVE-2021-21352

Anuko Time Tracker (PHP) before version 1.19.24.5415 uses time-based tokens in the password-reset feature, enabling brute-force guessing to change user passwords (including admin). The issue is addressed in 1.19.24.5415 (better tokens) and further limited in 1.19.24.5416 with a reduced brute-forc...

9.1CVSS8.1AI score0.01392EPSS
CVE
CVE
added 2021/12/21 11:40 p.m.63 views

CVE-2021-43851

CVE-2021-43851 concerns the Anuko Time Tracker PHP application. The connected documents confirm a SQL injection in multiple files, stemming from improper validation of the group and status parameters in POST requests (notably in groups.php). The vulnerability affects Time Tracker version 1.19.33....

8.8CVSS8.7AI score0.01165EPSS
CVE
CVE
added 2020/10/16 4:20 p.m.62 views

CVE-2020-15255

CVE-2020-15255 affects Anuko Time Tracker prior to 1.19.23.5325, where a CSV export of a report could contain cells treated as formulas due to insufficient input filtering (CSV/Formula Injection). The underlying vulnerability is the lack of proper filtering of user input in exports, which could a...

8.7CVSS7.2AI score0.03462EPSS
CVE
CVE
added 2023/05/15 8:47 p.m.60 views

CVE-2023-32308

The CVE-2023-32308 entry concerns anuko timetracker, an open-source time-tracking system. A Boolean-based blind SQL injection existed in Time Tracker’s invoices.php for versions prior to 1.22.11.5781, caused by a coding error after validating POST parameters and lack of an error check before adju...

9.8CVSS9.4AI score0.00658EPSS
CVE
CVE
added 2020/11/16 3:45 p.m.57 views

CVE-2020-27423

This CVE affects Anuko Time Tracker v1.19.23.5311, where the password-reset module lacks rate limiting, enabling a Denial of Service against any legitimate user’s mailbox. The root cause is an absence of rate limiting on the password reset flow. Public references indicate an exploit exists and de...

7.5CVSS7.5AI score0.06362EPSS
CVE
CVE
added 2021/10/13 5:10 p.m.47 views

CVE-2021-41139

Anuko Time Tracker (PHP) suffers a reflected XSS in time.php via the date URI parameter, exploitable before patch in 1.19.30.5600. An attacker could persuade a logged-in user to click a crafted link, causing attacker-supplied JavaScript to execute in the user’s browser. Remediated in version 1.19...

8.1CVSS6.4AI score0.0099EPSS
CVE
CVE
added 2023/05/09 3:28 p.m.45 views

CVE-2023-32066

Time Tracker’s Week View plugin (versions setTitle call in week.php (line ~245) as implemented in 1.22.12.5783. Affected products include Anuko Time Tracker; no exploitation status is provided in the documents. Recommended remediation: upgrade to 1.22.12.5783 or newer to mitigate the vulnerabilit...

5.4CVSS5.2AI score0.00369EPSS
CVE
CVE
added 2021/04/13 5:20 p.m.42 views

CVE-2021-29436

CVE-2021-29436 affects Anuko Time Tracker (PHP, web-based). Before version 1.19.27.5431 a Cross-Site Request Forgery (CSRF) vulnerability allowed a logged-in user to be tricked into performing unintended actions (e.g., changing a password) via a forged request. The issue is fixed in Time Tracker ...

8.1CVSS6.8AI score0.00525EPSS
CVE
CVE
added 2023/05/12 6:52 p.m.39 views

CVE-2023-32306

Time Tracker vulnerability CVE-2023-32306 exists in the Reports feature (reports.php) of Time Tracker prior to version 1.22.13.5792. A time-based blind SQL injection arises because several POST parameters aren’t properly validated, enabling crafted requests to inject SQL into the Time Tracker dat...

9.8CVSS9.3AI score0.00721EPSS