CVE-2023-32308

HIGH

anuko timetracker < 1.22.11.5781 - SQL Injection in invoices.php

Title source: llm

Description

anuko timetracker is an open source time tracking system. Boolean-based blind SQL injection vulnerability existed in Time Tracker invoices.php in versions prior to 1.22.11.5781. This was happening because of a coding error after validating parameters in POST requests. There was no check for errors before adjusting invoice sorting order. Because of this, it was possible to craft a POST request with malicious SQL for Time Tracker database. This issue has been fixed in version 1.22.11.5781. Users are advised to upgrade. Users unable to upgrade may insert an additional check for errors in a condition before calling `ttGroupHelper::getActiveInvoices()` in invoices.php.

References (2)

Core 2

Core References

Vendor Advisory x_refsource_confirm

https://github.com/anuko/timetracker/security/advisories/GHSA-9g2c-7c7g-p58r

Patch x_refsource_misc

https://github.com/anuko/timetracker/commit/8a7367d7f77ea697c090f5ca4e19669181cc7bcf

View Patch ZIP pw:eip

Scores

CVSS v3 8.2

EPSS 0.0066

EPSS Percentile 46.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-89

Status published

Products (1)

anuko/time_tracker < 1.22.11.5781

Published May 15, 2023

Tracked Since Feb 18, 2026