CVE-2019-1010287

Vulnerability

Timesheet Next Gen versions 1.5.3 and earlier are vulnerable to reflected cross-site scripting (XSS) in the login form (login.php). The redirect parameter is taken directly from the request ($_REQUEST["redirect"]) and echoed back into the page in two places: line 40 sets the Location header with the unsanitized value, and line 54 writes it into a hidden input field without any output encoding [1][2]. An attacker can inject arbitrary HTML and JavaScript into the page by crafting a malicious redirect value.

Exploitation

The attacker crafts a malicious URL pointing to the vulnerable application's login.php with a redirect parameter containing a JavaScript payload, for example redirect="/><input style="display:none [2]. The victim must click this URL (reflected XSS). No authentication is required to trigger the vulnerability; the code path is reachable even before login. The payload is reflected in the hidden input field's value attribute and, if the login form is submitted, also in the Location header (though the header injection does not produce an XSS in the browser, the hidden input reflection does).

Impact

An attacker can execute arbitrary HTML and JavaScript in the victim's browser within the security context of the vulnerable Timesheet Next Gen application. This can lead to session hijacking, credential theft (via keylogging or phishing overlays), or defacement. The impact is limited to reflected XSS, meaning the attacker must trick the victim into clicking the crafted link; no persistent storage is involved.

Mitigation

The vendor has not released a patched version for this legacy branch (the code on SourceForge indicates the branch is "legacy") [1]. Users should upgrade to a supported version of Timesheet Next Gen or migrate to an alternative solution. As a workaround, administrators can place the application behind a web application firewall (WAF) with rules to block reflected XSS payloads in the redirect parameter. No CISA KEV listing is known.