Strix
26.1K

CVE-2021-43851

HIGHCVSS 8.8/10EPSS 1.17%

Last modified

CVE-2021-43851 is a high-severity vulnerability rated 8.8/10 on the CVSS scale. Anuko Time Tracker is an open source, web-based time tracking application written in PHP. SQL injection vulnerability exist in multiple files in Time Tracker version 1.19.33.5606 and prior due to not properly checking of the "group" and "status" parameters in POST requests. EPSS estimates a 1.17% chance of exploitation in the next 30 days.

Description

Anuko Time Tracker is an open source, web-based time tracking application written in PHP. SQL injection vulnerability exist in multiple files in Time Tracker version 1.19.33.5606 and prior due to not properly checking of the "group" and "status" parameters in POST requests. Group parameter is posted along when navigating between organizational subgroups (groups.php file). Status parameter is used in multiple files to change a status of an entity such as making a project, task, or user inactive. This issue has been patched in version 1.19.33.5607. An upgrade is highly recommended. If an upgrade is not practical, introduce ttValidStatus function as in the latest version and start using it user input check blocks wherever status field is used. For groups.php fix, introduce ttValidInteger function as in the latest version and use it in the access check block in the file.

Metrics

CVSS 3.1
8.8/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Probability
1.17%

63.3th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
AnukoTime Tracker< 1.19.33.5607

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2021-43851?
Anuko Time Tracker is an open source, web-based time tracking application written in PHP. SQL injection vulnerability exist in multiple files in Time Tracker version 1.19.33.5606 and prior due to not properly checking of the "group" and "status" parameters in POST requests. Group parameter is posted along when navigating between organizational subgroups (groups.php file). Status parameter is used in multiple files to change a status of an entity such as making a project, task, or user inactive. This issue has been patched in version 1.19.33.5607. An upgrade is highly recommended. If an upgrade is not practical, introduce ttValidStatus function as in the latest version and start using it user input check blocks wherever status field is used. For groups.php fix, introduce ttValidInteger function as in the latest version and use it in the access check block in the file.
How severe is CVE-2021-43851?
CVE-2021-43851 has a CVSS score of 8.8/10 (HIGH severity). The EPSS model estimates a 1.17% probability of exploitation in the next 30 days.
How do I fix CVE-2021-43851?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2021-43851?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST