5.4
CVE-2023-32066
- EPSS 0.37%
- Veröffentlicht 09.05.2023 16:15:15
- Zuletzt bearbeitet 21.11.2024 08:02:38
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
LoginTime Tracker has Stored XSS vulnerability in Week View plugin
Time Tracker is an open source time tracking system. The week view plugin in Time Tracker versions 1.22.11.5782 and prior was not escaping titles for notes in week view table. Because of that, it was possible for a logged in user to enter notes with elements of JavaScript. Such script could then be executed in user browser on subsequent requests to week view. This issue is fixed in version 1.22.12.5783. As a workaround, use `htmlspecialchars` when calling `$field->setTitle` on line #245 in the `week.php` file, as happens in version 1.22.12.5783.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Anuko ≫ Time Tracker Version < 1.22.12.5783
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.37% | 0.285 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 5.4 | 2.3 | 2.7 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
|
| security-advisories@github.com | 5.4 | 2.3 | 2.7 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
|
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
https://github.com/anuko/timetracker/commit/093cfe158099704ffd4a1624be217f9935e914eb
https://github.com/anuko/timetracker/security/advisories/GHSA-jw2g-8wvp-9frw