CVE-2020-27422

CRITICAL

Anuko Time Tracker <1.19.23.5311 - Info Disclosure

Title source: llm

Description

In Anuko Time Tracker v1.19.23.5311, the password reset link emailed to the user doesn't expire once used, allowing an attacker to use the same link to takeover the account.

Exploits (1)

exploitdb WRITEUP

by Mufaddal Masalawala · textwebappsphp

https://www.exploit-db.com/exploits/49174

View Code ZIP pw:eip

References (2)

[Product, Vendor Advisory] https://www.anuko.com/time-tracker/index.htm

[Third Party Advisory, VDB Entry] https://packetstormsecurity.com/files/160051/Anuko-Time-Tracker-1.19.23.5311-Password-Reset.html

Scores

CVSS v3 9.8

EPSS 0.1018

EPSS Percentile 93.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-613

Status published

Products (1)

anuko/time_tracker < 1.19.23.5311

Published Nov 16, 2020

Tracked Since Feb 18, 2026