10 matches found
CVE-2022-24708
The CVE-2022-24708 entry describes a Stored XSS vulnerability in Anuko Time Tracker. The issue occurs in ttUser.class.php where the primary group name was not escaped for display, allowing a logged-in user to inject JavaScript that could execute in their browser on pages displaying the group name...
CVE-2022-24707
CVE-2022-24707 affects Anuko Time Tracker’s Puncher plugin, with an unsanitized date parameter in POST requests enabling SQL injection vulnerabilities (Union-based and time-based blind) in versions prior to 1.20.0.5642. The issue arises from reusing code and unvalidated input, allowing crafted PO...
CVE-2021-21352
Anuko Time Tracker (PHP) before version 1.19.24.5415 uses time-based tokens in the password-reset feature, enabling brute-force guessing to change user passwords (including admin). The issue is addressed in 1.19.24.5415 (better tokens) and further limited in 1.19.24.5416 with a reduced brute-forc...
CVE-2021-43851
CVE-2021-43851 concerns the Anuko Time Tracker PHP application. The connected documents confirm a SQL injection in multiple files, stemming from improper validation of the group and status parameters in POST requests (notably in groups.php). The vulnerability affects Time Tracker version 1.19.33....
CVE-2020-15255
CVE-2020-15255 affects Anuko Time Tracker prior to 1.19.23.5325, where a CSV export of a report could contain cells treated as formulas due to insufficient input filtering (CSV/Formula Injection). The underlying vulnerability is the lack of proper filtering of user input in exports, which could a...
CVE-2023-32308
The CVE-2023-32308 entry concerns anuko timetracker, an open-source time-tracking system. A Boolean-based blind SQL injection existed in Time Tracker’s invoices.php for versions prior to 1.22.11.5781, caused by a coding error after validating POST parameters and lack of an error check before adju...
CVE-2021-41139
Anuko Time Tracker (PHP) suffers a reflected XSS in time.php via the date URI parameter, exploitable before patch in 1.19.30.5600. An attacker could persuade a logged-in user to click a crafted link, causing attacker-supplied JavaScript to execute in the user’s browser. Remediated in version 1.19...
CVE-2023-32066
Time Tracker’s Week View plugin (versions setTitle call in week.php (line ~245) as implemented in 1.22.12.5783. Affected products include Anuko Time Tracker; no exploitation status is provided in the documents. Recommended remediation: upgrade to 1.22.12.5783 or newer to mitigate the vulnerabilit...
CVE-2021-29436
CVE-2021-29436 affects Anuko Time Tracker (PHP, web-based). Before version 1.19.27.5431 a Cross-Site Request Forgery (CSRF) vulnerability allowed a logged-in user to be tricked into performing unintended actions (e.g., changing a password) via a forged request. The issue is fixed in Time Tracker ...
CVE-2023-32306
Time Tracker vulnerability CVE-2023-32306 exists in the Reports feature (reports.php) of Time Tracker prior to version 1.22.13.5792. A time-based blind SQL injection arises because several POST parameters aren’t properly validated, enabling crafted requests to inject SQL into the Time Tracker dat...