Time Tracker has Stored XSS vulnerability in Week View plugin
Description
Time Tracker is an open source time tracking system. The week view plugin in Time Tracker versions 1.22.11.5782 and prior was not escaping titles for notes in week view table. Because of that, it was possible for a logged in user to enter notes with elements of JavaScript. Such script could then be executed in user browser on subsequent requests to week view. This issue is fixed in version 1.22.12.5783. As a workaround, use htmlspecialchars when calling $field->setTitle on line #245 in the week.php file, as happens in version 1.22.12.5783.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in Time Tracker's week view plugin allows authenticated users to inject JavaScript via note titles, fixed in 1.22.12.5783.
Vulnerability
A stored cross-site scripting (XSS) vulnerability exists in the week view plugin of Time Tracker versions 1.22.11.5782 and prior. The issue is in the week.php file, where the $field->setTitle() method does not escape note titles before rendering them in the week view table. This allows an authenticated user to enter arbitrary JavaScript as part of a note title, which will be executed in the browser of any user viewing that week view. The vulnerable code path is triggered when rendering odd rows in the table, where the note content is used directly as a tooltip title without sanitization. This was fixed in version 1.22.12.5783 by applying htmlspecialchars to the note value before passing it to setTitle [1][2].
Exploitation
To exploit this vulnerability, an attacker must be a logged-in user with permission to add or edit notes in the time tracking system. The attacker can craft a note containing malicious JavaScript, for example ``. When any user (including administrators) subsequently loads the week view, the note is displayed in the table, and the unsanitized title attribute triggers execution of the injected script in the context of the victim's session. No additional user interaction beyond viewing the week view is required [2].
Impact
Successful exploitation permits persistent execution of arbitrary JavaScript in the context of the victim's browser session. This can lead to theft of session cookies, exfiltration of sensitive data displayed on the page, or further actions such as modifying time entries or performing actions on behalf of the victim. The attack is stored, meaning the malicious payload remains in the system and affects all subsequent viewers until the note is removed or the application is patched [2].
Mitigation
The vulnerability is fixed in Time Tracker version 1.22.12.5783, released on May 9, 2023. Users should upgrade to this version immediately. As a workaround, administrators can manually apply the fix by modifying week.php line 245 to use htmlspecialchars when calling $field->setTitle(): $field->setTitle(htmlspecialchars($table->getValueAt($row,$column)['note'])); [1][2]. No CISA KEV listing has been reported as of this writing.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: < 1.22.12.5783
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- github.com/anuko/timetracker/commit/093cfe158099704ffd4a1624be217f9935e914ebmitrex_refsource_MISC
- github.com/anuko/timetracker/security/advisories/GHSA-jw2g-8wvp-9frwmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.