CVE-2023-32066
Last modified
CVE-2023-32066 is a medium-severity vulnerability rated 5.4/10 on the CVSS scale. Time Tracker is an open source time tracking system. The week view plugin in Time Tracker versions 1.22.11.5782 and prior was not escaping titles for notes in week view table. EPSS estimates a 0.37% chance of exploitation in the next 30 days.
Description
Time Tracker is an open source time tracking system. The week view plugin in Time Tracker versions 1.22.11.5782 and prior was not escaping titles for notes in week view table. Because of that, it was possible for a logged in user to enter notes with elements of JavaScript. Such script could then be executed in user browser on subsequent requests to week view. This issue is fixed in version 1.22.12.5783. As a workaround, use `htmlspecialchars` when calling `$field->setTitle` on line #245 in the `week.php` file, as happens in version 1.22.12.5783.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Anuko | Time Tracker | < 1.22.12.5783 |
References
- https://github.com/anuko/timetracker/security/advisories/GHSA-jw2g-8wvp-9frwThird Party Advisory
- https://github.com/anuko/timetracker/security/advisories/GHSA-jw2g-8wvp-9frwThird Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2023-32066?
How severe is CVE-2023-32066?
How do I fix CVE-2023-32066?
Are you affected by CVE-2023-32066?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST