Description
Anuko Time Tracker is an open source, web-based time tracking application written in PHP. ttUser.class.php in Time Tracker versions prior to 1.20.0.5646 was not escaping primary group name for display. Because of that, it was possible for a logged in user to modify primary group name with elements of JavaScript. Such script could then be executed in user browser on subsequent requests on pages where primary group name was displayed. This is vulnerability has been fixed in version 1.20.0.5646. Users who are unable to upgrade may modify ttUser.class.php to use an additional call to htmlspecialchars when printing group name.
References (2)
Core 2
Core References
Third Party Advisory x_refsource_confirm
https://github.com/anuko/timetracker/security/advisories/GHSA-rgcm-xgvj-5mqh
Patch, Third Party Advisory x_refsource_misc
https://github.com/anuko/timetracker/commit/6aaad31630500d13b6c8459daa9f406fd5eb4330
Scores
CVSS v3
6.5
EPSS
0.0021
EPSS Percentile
42.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (1)
anuko/time_tracker
< 1.20.0.5646
Published
Feb 24, 2022
Tracked Since
Feb 18, 2026