Titra
Monthly
titra 0.99.52 leaks sensitive global configuration settings to any authenticated user via an unprotected Meteor DDP publication, exposing API keys and OAuth secrets without administrative checks. Authenticated attackers can subscribe to the globalsettings publication and retrieve plaintext credentials including google_secret, openai_apikey, and google_clientid. No public patch is available at time of publication.
Titra time tracking software versions 0.99.49 and below contain a mass assignment vulnerability in their API that allows authenticated users to inject arbitrary fields into time entries through an unvalidated customfields parameter, enabling attackers to overwrite protected data such as user IDs, hours, and entry states. Public exploit code exists for this vulnerability which affects the integrity of tracked time data. The issue is resolved in version 0.99.50.
Unauthorized access control in Titra versions 0.99.49 and earlier enables authenticated users to view and modify time entries belonging to other users in private projects without proper authorization. Public exploit code exists for this vulnerability, affecting deployments that have not upgraded to version 0.99.50. The flaw allows authenticated attackers to compromise data integrity and confidentiality of other users' tracked time information.
titra 0.99.52 leaks sensitive global configuration settings to any authenticated user via an unprotected Meteor DDP publication, exposing API keys and OAuth secrets without administrative checks. Authenticated attackers can subscribe to the globalsettings publication and retrieve plaintext credentials including google_secret, openai_apikey, and google_clientid. No public patch is available at time of publication.
Titra time tracking software versions 0.99.49 and below contain a mass assignment vulnerability in their API that allows authenticated users to inject arbitrary fields into time entries through an unvalidated customfields parameter, enabling attackers to overwrite protected data such as user IDs, hours, and entry states. Public exploit code exists for this vulnerability which affects the integrity of tracked time data. The issue is resolved in version 0.99.50.
Unauthorized access control in Titra versions 0.99.49 and earlier enables authenticated users to view and modify time entries belonging to other users in private projects without proper authorization. Public exploit code exists for this vulnerability, affecting deployments that have not upgraded to version 0.99.50. The flaw allows authenticated attackers to compromise data integrity and confidentiality of other users' tracked time information.