Medium severity5.4NVD Advisory· Published May 9, 2023· Updated Jun 17, 2026
CVE-2023-32066
CVE-2023-32066
Description
Time Tracker is an open source time tracking system. The week view plugin in Time Tracker versions 1.22.11.5782 and prior was not escaping titles for notes in week view table. Because of that, it was possible for a logged in user to enter notes with elements of JavaScript. Such script could then be executed in user browser on subsequent requests to week view. This issue is fixed in version 1.22.12.5783. As a workaround, use htmlspecialchars when calling $field->setTitle on line #245 in the week.php file, as happens in version 1.22.12.5783.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
3<=1.22.11.5782+ 1 more
- (no CPE)range: <=1.22.11.5782
- (no CPE)range: < 1.22.12.5783
- Range: <=1.22.11.5782
Patches
Vulnerability mechanics
References
2News mentions
0No linked articles in our index yet.