CVE-2021-47967

Vulnerability

Analysis

PHP Timeclock 1.04 suffers from multiple reflected cross-site scripting (XSS) vulnerabilities due to insufficient sanitization of user-supplied input. An unauthenticated attacker can inject arbitrary JavaScript by appending a malicious payload to URL paths such as /login.php, /timeclock.php, /reports/audit.php, and /reports/timerpt.php [2]. Additionally, POST requests to report endpoints are vulnerable via the from_date and to_date parameters [2][4].

Exploitation

No authentication is required to exploit these flaws. For the URL-path variant, an attacker can craft a link like http://target/login.php/'><svg/onload=alertxss> that, when visited, executes the attacker's script in the user's browser [2]. For the parameter-based variant, a crafted POST request to /reports/audit.php (or similar) with malicious from_date or to_date values will trigger script execution when the report is rendered [2].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to session hijacking, credential theft, defacement, or redirection to malicious sites [4]. The application is a web-based timeclock system (version 1.04, released around 2006) [1][3].

Mitigation

As of this advisory, PHP Timeclock 1.04 is an old, unmaintained project; the latest news on the vendor site dates from 2006 [1]. No patch has been released for these XSS issues. Users are advised to migrate to an alternative timeclock solution or implement a web application firewall (WAF) to filter malicious payloads [2][4].