Lucene search

[email protected]NVD:CVE-2023-32066

HistoryMay 09, 2023 - 4:15 p.m.

CVE-2023-32066

2023-05-0916:15:15

CWE-79

[email protected]

web.nvd.nist.gov

time tracker

javascript injection

week view table

version 1.22.11.5782

version 1.22.12.5783

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

40.5%

JSON

Time Tracker is an open source time tracking system. The week view plugin in Time Tracker versions 1.22.11.5782 and prior was not escaping titles for notes in week view table. Because of that, it was possible for a logged in user to enter notes with elements of JavaScript. Such script could then be executed in user browser on subsequent requests to week view. This issue is fixed in version 1.22.12.5783. As a workaround, use htmlspecialchars when calling $field->setTitle on line #245 in the week.php file, as happens in version 1.22.12.5783.

Affected configurations

Nvd

Node

anukotime_trackerRange<1.22.12.5783

VendorProductVersionCPE
anukotime_tracker*cpe:2.3:a:anuko:time_tracker:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
anuko	time_tracker	*	cpe:2.3:a:anuko:time_tracker::::::::

References

github.com/anuko/timetracker/commit/093cfe158099704ffd4a1624be217f9935e914eb

github.com/anuko/timetracker/security/advisories/GHSA-jw2g-8wvp-9frw