CVE-2020-15255

HIGH

Anuko Time Tracker <1.19.23.5325 - Info Disclosure

Title source: llm

Description

In Anuko Time Tracker before verion 1.19.23.5325, due to not properly filtered user input a CSV export of a report could contain cells that are treated as formulas by spreadsheet software (for example, when a cell value starts with an equal sign). This is fixed in version 1.19.23.5325.

Exploits (1)

exploitdb WORKING POC

by Mufaddal Masalawala · textwebappsphp

https://www.exploit-db.com/exploits/49027

View Code ZIP pw:eip

References (4)

[Third Party Advisory] https://github.com/anuko/timetracker/security/advisories/GHSA-prjf-9mgh-8fpv

[Patch, Third Party Advisory] https://github.com/anuko/timetracker/commit/d9472904361495f318c9d0294ffd28acaaeae42f

[Exploit, Third Party Advisory, VDB Entry] http://packetstormsecurity.com/files/159996/Anuko-Time-Tracker-1.19.23.5325-CSV-Injection.html

[Exploit, Third Party Advisory, VDB Entry] https://www.exploit-db.com/exploits/49027

Scores

CVSS v3 8.7

EPSS 0.0125

EPSS Percentile 79.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Details

CWE

CWE-74 CWE-1236

Status published

Products (1)

anuko/time_tracker < 1.19.23.5325

Published Oct 16, 2020

Tracked Since Feb 18, 2026