SQL injection in anuko timetracker
Description
Anuko Time Tracker is an open source, web-based time tracking application written in PHP. UNION SQL injection and time-based blind injection vulnerabilities existed in Time Tracker Puncher plugin in versions of anuko timetracker prior to 1.20.0.5642. This was happening because the Puncher plugin was reusing code from other places and was relying on an unsanitized date parameter in POST requests. Because the parameter was not checked, it was possible to craft POST requests with malicious SQL for Time Tracker database. This issue has been resolved in in version 1.20.0.5642. Users unable to upgrade are advised to add their own checks to input.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
UNION and time-based blind SQL injection in Anuko Time Tracker Puncher plugin (<1.20.0.5642) due to unsanitized date parameter in POST requests.
Vulnerability
Anuko Time Tracker versions prior to 1.20.0.5642 are vulnerable to UNION SQL injection and time-based blind SQL injection in the Puncher plugin [2]. The vulnerability exists because the Puncher plugin reuses code from other places and relies on an unsanitized date parameter in POST requests. This parameter is not validated before being used in database queries, allowing an attacker to inject malicious SQL [2]. The issue was fixed in version 1.20.0.5642 with a more robust fix in 1.20.0.5643 when the Puncher plugin was recoded [2].
Exploitation
An attacker can exploit this vulnerability by sending a crafted POST request to the Puncher plugin with a malicious date parameter [1][2]. The attacker does not need any special network position beyond access to the Time Tracker application. No authentication is mentioned in the references, but the Puncher plugin likely requires user login. The attacker would send a POST request containing a date parameter with SQL injection payload, such as ' UNION SELECT ... or a time-based blind payload. The lack of input validation means the malicious SQL is passed directly to the database [1][2].
Impact
Successful exploitation allows an attacker to perform UNION SQL injection (retrieving arbitrary data from the database) or time-based blind SQL injection (extracting information by observing response delays) [2]. This could lead to disclosure of sensitive information stored in the Time Tracker database, such as user credentials, timetracking data, or other business data. The attacker gains read access to the database, potentially leading to further compromise [2].
Mitigation
The vulnerability is fixed in version 1.20.0.5642 and a more complete fix in 1.20.0.5643 [2]. Users should upgrade to version 1.20.0.5642 or later immediately. If upgrade is not practical, the vendor provides a workaround: add a validation check for the date parameter in the access checks portion of puncher.php, as implemented in the commit for version 1.20.0.5642 [1][2]. Note that this check is no longer needed if using the updated Puncher plugin from version 1.20.0.5643 [2].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Range: <1.20.0.5642
<1.20.0.5642+ 1 more
- (no CPE)range: <1.20.0.5642
- (no CPE)range: < 1.20.0.5642
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- packetstormsecurity.com/files/167060/Anuko-Time-Tracker-1.20.0.5640-SQL-Injection.htmlmitrex_refsource_MISC
- github.com/anuko/timetracker/commit/0e2d6563e2d969209c502a1eae4ddd8e87b73299mitrex_refsource_MISC
- github.com/anuko/timetracker/security/advisories/GHSA-wqx7-95fx-wjxjmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.