Time Tracker
CVE-2021-21352
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
1DescriptionNVD
Anuko Time Tracker is an open source, web-based time tracking application written in PHP. In TimeTracker before version 1.19.24.5415 tokens used in password reset feature in Time Tracker are based on system time and, therefore, are predictable. This opens a window for brute force attacks to guess user tokens and, once successful, change user passwords, including that of a system administrator. This vulnerability is pathced in version 1.19.24.5415 (started to use more secure tokens) with an additional improvement in 1.19.24.5416 (limited an available window for brute force token guessing).
AnalysisAI
Anuko Time Tracker is an open source, web-based time tracking application written in PHP. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Technical ContextAI
This vulnerability is classified under CWE-330. Anuko Time Tracker is an open source, web-based time tracking application written in PHP. In TimeTracker before version 1.19.24.5415 tokens used in password reset feature in Time Tracker are based on system time and, therefore, are predictable. This opens a window for brute force attacks to guess user tokens and, once successful, change user passwords, including that of a system administrator. This vulnerability is pathced in version 1.19.24.5415 (started to use more secure tokens) with an additional improvement in 1.19.24.5416 (limited an available window for brute force token guessing). Affected products include: Anuko Time Tracker. Version information: version 1.19.24.5415.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
More in Time Tracker
View allAnuko Time Tracker is an open source, web-based time tracking application written in PHP. Rated high severity (CVSS 8.8)
In Anuko Time Tracker before verion 1.19.23.5325, due to not properly filtered user input a CSV export of a report could
anuko timetracker is an open source time tracking system. Rated critical severity (CVSS 9.8), this vulnerability is remo
Time Tracker is an open source time tracking system. Rated critical severity (CVSS 9.8), this vulnerability is remotely
In Anuko Time Tracker v1.19.23.5311, the password reset link emailed to the user doesn't expire once used, allowing an a
Anuko Time Tracker is an open source, web-based time tracking application written in PHP. Rated high severity (CVSS 8.8)
Anuko Time Tracker is an open source, web-based time tracking application written in PHP. Rated high severity (CVSS 8.1)
Upwork Time Tracker 5.2.2.716 doesn't verify the SHA256 hash of the downloaded program update before running it, which c
Anuko Time Tracker v1.19.23.5311 lacks rate limit on the password reset module which allows attacker to perform Denial o
Anuko Time Tracker is an open source, web-based time tracking application written in PHP. Rated medium severity (CVSS 6.
Time Tracker is an open source time tracking system. Rated medium severity (CVSS 5.4), this vulnerability is remotely ex
Anuko Time Tracker is an open source, web-based time tracking application written in PHP. Rated medium severity (CVSS 5.
Same weakness CWE-330 – Use of Insufficiently Random Values
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today