CVE-2022-24707

HIGH

Anuko Time Tracker <1.20.0.5642 - SQL Injection

Title source: llm

Description

Anuko Time Tracker is an open source, web-based time tracking application written in PHP. UNION SQL injection and time-based blind injection vulnerabilities existed in Time Tracker Puncher plugin in versions of anuko timetracker prior to 1.20.0.5642. This was happening because the Puncher plugin was reusing code from other places and was relying on an unsanitized date parameter in POST requests. Because the parameter was not checked, it was possible to craft POST requests with malicious SQL for Time Tracker database. This issue has been resolved in in version 1.20.0.5642. Users unable to upgrade are advised to add their own checks to input.

Exploits (3)

exploitdb WORKING POC

by Altelus · pythonwebappsphp

https://www.exploit-db.com/exploits/50915

View Code ZIP pw:eip

nomisec WORKING POC 13 stars

by Altelus1 · poc

https://github.com/Altelus1/CVE-2022-24707

View Code ZIP pw:eip

nomisec WORKING POC

by thepiyushkumarshukla · poc

https://github.com/thepiyushkumarshukla/CVE-2022-24707_AnukoTimeTracker_Version-1.20.0_POC

View Code ZIP pw:eip

References (3)

[Exploit, Third Party Advisory, VDB Entry] http://packetstormsecurity.com/files/167060/Anuko-Time-Tracker-1.20.0.5640-SQL-Injection.html

[Patch, Third Party Advisory] https://github.com/anuko/timetracker/commit/0e2d6563e2d969209c502a1eae4ddd8e87b73299

[Third Party Advisory] https://github.com/anuko/timetracker/security/advisories/GHSA-wqx7-95fx-wjxj

Scores

CVSS v3 7.4

EPSS 0.0244

EPSS Percentile 85.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

Details

CWE

CWE-89

Status published

Products (1)

anuko/time_tracker < 1.20.0.5642

Published Feb 24, 2022

Tracked Since Feb 18, 2026