Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
8.8
CVSSv3

CVE-2022-24707

Published: 24/02/2022 Updated: 12/05/2022
CVSS v2 Base Score: 6.5 | Impact Score: 6.4 | Exploitability Score: 8
CVSS v3 Base Score: 8.8 | Impact Score: 5.9 | Exploitability Score: 2.8
VMScore: 578
Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P
Subscribe to Anuko

Vulnerability Summary

Anuko Time Tracker is an open source, web-based time tracking application written in PHP. UNION SQL injection and time-based blind injection vulnerabilities existed in Time Tracker Puncher plugin in versions of anuko timetracker before 1.20.0.5642. This was happening because the Puncher plugin was reusing code from other places and was relying on an unsanitized date parameter in POST requests. Because the parameter was not checked, it was possible to craft POST requests with malicious SQL for Time Tracker database. This issue has been resolved in in version 1.20.0.5642. Users unable to upgrade are advised to add their own checks to input.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

anuko time tracker

Exploits

Exploit DB: Anuko Time Tracker 1.20.0.5640 SQL Injection
Anuko Time Tracker version 12005640 suffers from a remote SQL injection vulnerability ...

Github Repositories

https://github.com/Altelus1/CVE-2022-24707

PoC of CVE-2022-24707

PoC for CVE-2022-24707 SQL Injection Vulnerability on Puncher plugin A POST request can be crafted to exploit SQL Injection and leak database contents This is tested on Anuko Time Tracker 12005640 python3 exploitpy --help usage: exploitpy [-h] --username USERNAME --password PASSWORD --host HOST [--sqli SQLI]

References

CWE-89CWE-89https://github.com/anuko/timetracker/commit/0e2d6563e2d969209c502a1eae4ddd8e87b73299https://github.com/anuko/timetracker/security/advisories/GHSA-wqx7-95fx-wjxjhttp://packetstormsecurity.com/files/167060/Anuko-Time-Tracker-1.20.0.5640-SQL-Injection.htmlhttps://nvd.nist.govhttps://github.com/Altelus1/CVE-2022-24707https://packetstormsecurity.com/files/167060/Anuko-Time-Tracker-1.20.0.5640-SQL-Injection.html
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
authentication bypassCVE-2024-30051remoteCVE-2024-27954CVE-2023-51483CVE-2023-47782SSRFCVE-2024-24715CVE-2023-52424
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook