CVE-2021-43851
Description
Anuko Time Tracker is an open source, web-based time tracking application written in PHP. SQL injection vulnerability exist in multiple files in Time Tracker version 1.19.33.5606 and prior due to not properly checking of the "group" and "status" parameters in POST requests. Group parameter is posted along when navigating between organizational subgroups (groups.php file). Status parameter is used in multiple files to change a status of an entity such as making a project, task, or user inactive. This issue has been patched in version 1.19.33.5607. An upgrade is highly recommended. If an upgrade is not practical, introduce ttValidStatus function as in the latest version and start using it user input check blocks wherever status field is used. For groups.php fix, introduce ttValidInteger function as in the latest version and use it in the access check block in the file.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2<=1.19.33.5606+ 1 more
- (no CPE)range: <=1.19.33.5606
- (no CPE)range: < 1.19.33.5607
Patches
Vulnerability mechanics
References
3- github.com/anuko/timetracker/commit/0cf32f1046418aa2e5218b0b370064820c330c6anvdPatchThird Party Advisory
- github.com/anuko/timetracker/commit/94fda0cc0c9c20ab98d38ccc75ff040d13dc7f1bnvdPatchThird Party Advisory
- github.com/anuko/timetracker/security/advisories/GHSA-wx6x-6rq3-pqccnvdThird Party Advisory
News mentions
0No linked articles in our index yet.