SQL Injection Vulnerability in anuko timetracker
Description
anuko timetracker is an open source time tracking system. Boolean-based blind SQL injection vulnerability existed in Time Tracker invoices.php in versions prior to 1.22.11.5781. This was happening because of a coding error after validating parameters in POST requests. There was no check for errors before adjusting invoice sorting order. Because of this, it was possible to craft a POST request with malicious SQL for Time Tracker database. This issue has been fixed in version 1.22.11.5781. Users are advised to upgrade. Users unable to upgrade may insert an additional check for errors in a condition before calling ttGroupHelper::getActiveInvoices() in invoices.php.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Boolean-based blind SQL injection in anuko timetracker invoices.php prior to 1.22.11.5781 allows remote attackers to execute arbitrary SQL via crafted POST parameters.
Vulnerability
A boolean-based blind SQL injection vulnerability exists in invoices.php of anuko timetracker versions prior to 1.22.11.5781. The issue arises because after validating POST parameters, there is no check for errors before adjusting the invoice sorting order. This allows an attacker to inject malicious SQL via the sort_order or sort_option parameters [1][2].
Exploitation
An attacker can send a crafted POST request to invoices.php with malicious SQL in the sorting parameters. The injection is boolean-based blind, meaning the attacker can infer information based on the response behavior (e.g., timing or content differences). No authentication is required if the invoices page is accessible [2].
Impact
Successful exploitation allows an attacker to execute arbitrary SQL queries against the Time Tracker database. This can lead to disclosure of sensitive data, such as user credentials or time tracking records. The impact is high, as it compromises confidentiality and may enable further attacks [2].
Mitigation
The vulnerability is fixed in version 1.22.11.5781 [1][2]. Users are advised to upgrade. If immediate upgrade is not possible, a workaround is to insert an additional check for errors (line 79) before calling ttGroupHelper::getActiveInvoices() in invoices.php [1][2].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: < 1.22.11.5781
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- github.com/anuko/timetracker/commit/8a7367d7f77ea697c090f5ca4e19669181cc7bcfmitrex_refsource_MISC
- github.com/anuko/timetracker/security/advisories/GHSA-9g2c-7c7g-p58rmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.