Stored XSS vulnerability in anuko/timetracker
Description
Anuko Time Tracker is an open source, web-based time tracking application written in PHP. ttUser.class.php in Time Tracker versions prior to 1.20.0.5646 was not escaping primary group name for display. Because of that, it was possible for a logged in user to modify primary group name with elements of JavaScript. Such script could then be executed in user browser on subsequent requests on pages where primary group name was displayed. This is vulnerability has been fixed in version 1.20.0.5646. Users who are unable to upgrade may modify ttUser.class.php to use an additional call to htmlspecialchars when printing group name.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Anuko Time Tracker prior to 1.20.0.5646 has a stored XSS vulnerability where a logged-in user can inject JavaScript into the primary group name, which executes when displayed.
Vulnerability
Anuko Time Tracker versions prior to 1.20.0.5646 contain a stored cross-site scripting (XSS) vulnerability in ttUser.class.php. The application failed to escape the primary group name using htmlspecialchars before display. A logged-in user with the ability to modify their group name could inject arbitrary JavaScript code as part of that name. This code would then be stored and executed in the browsers of other users viewing pages where the group name is rendered [1][2].
Exploitation
An attacker must be a logged-in user with the ability to change their primary group name (typically granted to group managers or admins). The attacker sets the group name to a string containing JavaScript payloads, e.g., ``. No additional privileges or user interaction beyond normal page viewing is required. When any user (including administrators) visits pages that display the group name, the injected script executes [1][2].
Impact
Successful exploitation results in stored XSS, allowing the attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to session hijacking, data exfiltration, or other malicious actions performed under the victim's identity and privileges [2].
Mitigation
The vulnerability is fixed in version 1.20.0.5646, released in the commit 6aaad31 on 2022-02-23. Users unable to upgrade should apply the workaround: modify getUserPartForHeader in ttUser.class.php to use htmlspecialchars when printing the group name — change line 837 from $user_part .= ', '.$this->group_name; to $user_part .= ', '.htmlspecialchars($this->group_name); [1][2].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<1.20.0.5646+ 1 more
- (no CPE)range: <1.20.0.5646
- (no CPE)range: < 1.20.0.5646
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- github.com/anuko/timetracker/commit/6aaad31630500d13b6c8459daa9f406fd5eb4330mitrex_refsource_MISC
- github.com/anuko/timetracker/security/advisories/GHSA-rgcm-xgvj-5mqhmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.