CVE-2023-32066

EPSS 0.08%
Veröffentlicht 09.05.2023 16:15:15
Zuletzt bearbeitet 21.11.2024 08:02:38
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Time Tracker is an open source time tracking system. The week view plugin in Time Tracker versions 1.22.11.5782 and prior was not escaping titles for notes in week view table. Because of that, it was possible for a logged in user to enter notes with elements of JavaScript. Such script could then be executed in user browser on subsequent requests to week view. This issue is fixed in version 1.22.12.5783. As a workaround, use `htmlspecialchars` when calling `$field->setTitle` on line #245 in the `week.php` file,  as happens in version 1.22.12.5783.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Anuko ≫ Time Tracker Version < 1.22.12.5783

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.08%	0.25

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.4	2.3	2.7	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
security-advisories@github.com	5.4	2.3	2.7	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://github.com/anuko/timetracker/commit/093cfe158099704ffd4a1624be217f9935e914eb

Patch

https://github.com/anuko/timetracker/security/advisories/GHSA-jw2g-8wvp-9frw

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2023-32066

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-32066

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-32066

EUVD