Time Tracker
CVE-2022-24707
HIGH
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
Anuko Time Tracker is an open source, web-based time tracking application written in PHP. UNION SQL injection and time-based blind injection vulnerabilities existed in Time Tracker Puncher plugin in versions of anuko timetracker prior to 1.20.0.5642. This was happening because the Puncher plugin was reusing code from other places and was relying on an unsanitized date parameter in POST requests. Because the parameter was not checked, it was possible to craft POST requests with malicious SQL for Time Tracker database. This issue has been resolved in in version 1.20.0.5642. Users unable to upgrade are advised to add their own checks to input.
AnalysisAI
Anuko Time Tracker is an open source, web-based time tracking application written in PHP. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Technical ContextAI
This vulnerability is classified as SQL Injection (CWE-89), which allows attackers to execute arbitrary SQL commands against the database. Anuko Time Tracker is an open source, web-based time tracking application written in PHP. UNION SQL injection and time-based blind injection vulnerabilities existed in Time Tracker Puncher plugin in versions of anuko timetracker prior to 1.20.0.5642. This was happening because the Puncher plugin was reusing code from other places and was relying on an unsanitized date parameter in POST requests. Because the parameter was not checked, it was possible to craft POST requests with malicious SQL for Time Tracker database. This issue has been resolved in in version 1.20.0.5642. Users unable to upgrade are advised to add their own checks to input. Affected products include: Anuko Time Tracker. Version information: prior to 1.20.0.5642..
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Use parameterized queries/prepared statements. Never concatenate user input into SQL. Apply least-privilege database permissions.
More in Time Tracker
View allIn Anuko Time Tracker before verion 1.19.23.5325, due to not properly filtered user input a CSV export of a report could
anuko timetracker is an open source time tracking system. Rated critical severity (CVSS 9.8), this vulnerability is remo
Time Tracker is an open source time tracking system. Rated critical severity (CVSS 9.8), this vulnerability is remotely
In Anuko Time Tracker v1.19.23.5311, the password reset link emailed to the user doesn't expire once used, allowing an a
Anuko Time Tracker is an open source, web-based time tracking application written in PHP. Rated critical severity (CVSS
Anuko Time Tracker is an open source, web-based time tracking application written in PHP. Rated high severity (CVSS 8.8)
Anuko Time Tracker is an open source, web-based time tracking application written in PHP. Rated high severity (CVSS 8.1)
Upwork Time Tracker 5.2.2.716 doesn't verify the SHA256 hash of the downloaded program update before running it, which c
Anuko Time Tracker v1.19.23.5311 lacks rate limit on the password reset module which allows attacker to perform Denial o
Anuko Time Tracker is an open source, web-based time tracking application written in PHP. Rated medium severity (CVSS 6.
Time Tracker is an open source time tracking system. Rated medium severity (CVSS 5.4), this vulnerability is remotely ex
Anuko Time Tracker is an open source, web-based time tracking application written in PHP. Rated medium severity (CVSS 5.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today