CVE-2021-43851

Published: 22/12/2021 Updated: 28/12/2021

CVSS v2 Base Score: 6.5 | Impact Score: 6.4 | Exploitability Score: 8

CVSS v3 Base Score: 8.8 | Impact Score: 5.9 | Exploitability Score: 2.8

VMScore: 578

Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P

Anuko Time Tracker is an open source, web-based time tracking application written in PHP. SQL injection vulnerability exist in multiple files in Time Tracker version 1.19.33.5606 and prior due to not properly checking of the "group" and "status" parameters in POST requests. Group parameter is posted along when navigating between organizational subgroups (groups.php file). Status parameter is used in multiple files to change a status of an entity such as making a project, task, or user inactive. This issue has been patched in version 1.19.33.5607. An upgrade is highly recommended. If an upgrade is not practical, introduce ttValidStatus function as in the latest version and start using it user input check blocks wherever status field is used. For groups.php fix, introduce ttValidInteger function as in the latest version and use it in the access check block in the file.

Vulnerable Product	Search on Vulmon	Subscribe to Product
anuko time tracker

CWE-89 https://github.com/anuko/timetracker/security/advisories/GHSA-wx6x-6rq3-pqcc https://github.com/anuko/timetracker/commit/0cf32f1046418aa2e5218b0b370064820c330c6a https://github.com/anuko/timetracker/commit/94fda0cc0c9c20ab98d38ccc75ff040d13dc7f1b https://nvd.nist.gov

Get Started

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

CVE-2021-43851

Vulnerability Summary

Vulnerability Trend

References

Vulmon Search

About

Products

Connect