CVE-2020-27422

CRITICAL

Anuko Time Tracker <1.19.23.5311 - Info Disclosure

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-27422. PoCs published by Mufaddal Masalawala.

AI-analyzed exploit summary This exploit describes a password reset vulnerability in Anuko Time Tracker where the reset link does not expire after use, allowing an attacker to repeatedly change the victim's password using the same link. The PoC outlines steps to exploit this flaw but does not include executable code.

Description

In Anuko Time Tracker v1.19.23.5311, the password reset link emailed to the user doesn't expire once used, allowing an attacker to use the same link to takeover the account.

Exploits (1)

exploitdb WRITEUP

by Mufaddal Masalawala · textwebappsphp

https://www.exploit-db.com/exploits/49174

View Code ZIP pw:eip

This exploit describes a password reset vulnerability in Anuko Time Tracker where the reset link does not expire after use, allowing an attacker to repeatedly change the victim's password using the same link. The PoC outlines steps to exploit this flaw but does not include executable code.

Classification

Writeup 90%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: Anuko Time Tracker v1.19.23.5311 and prior

No auth needed

Prerequisites: Access to a valid password reset link of the target user

MITRE ATT&CK

T1098 - Account Manipulation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Product, Vendor Advisory x_refsource_misc

https://www.anuko.com/time-tracker/index.htm

Third Party Advisory, VDB Entry x_refsource_misc

https://packetstormsecurity.com/files/160051/Anuko-Time-Tracker-1.19.23.5311-Password-Reset.html

Scores

CVSS v3 9.8

EPSS 0.0776

EPSS Percentile 93.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-613

Status published

Products (1)

anuko/time_tracker < 1.19.23.5311

Published Nov 16, 2020

Tracked Since Feb 18, 2026