{"containers": {"cna": {"affected": [{"product": "timetracker", "vendor": "anuko", "versions": [{"status": "affected", "version": "< 1.19.30.5600"}]}], "descriptions": [{"lang": "en", "value": "Anuko Time Tracker is an open source, web-based time tracking application written in PHP. When a logged on user selects a date in Time Tracker, it is being passed on via the date parameter in URI. Because of not checking this parameter for sanity in versions prior to 1.19.30.5600, it was possible to craft the URI with malicious JavaScript, use social engineering to convince logged on user to click on such link, and have the attacker-supplied JavaScript to be executed in user's browser. This issue is patched in version 1.19.30.5600. As a workaround, one may introduce `ttValidDbDateFormatDate` function as in the latest version and add a call to it within the access checks block in time.php."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-10-13T17:10:10", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/anuko/timetracker/security/advisories/GHSA-h2v8-87c9-86cw"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/anuko/timetracker/commit/559906731f153c9b3a632c2839ed11669b76d593"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/anuko/timetracker/commit/d3f60bd3e3ea8ff8ec31a596baec6750af601b7c"}], "source": {"advisory": "GHSA-h2v8-87c9-86cw", "discovery": "UNKNOWN"}, "title": "Reflected XSS vulnerability in time.php", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-41139", "STATE": "PUBLIC", "TITLE": "Reflected XSS vulnerability in time.php"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "timetracker", "version": {"version_data": [{"version_value": "< 1.19.30.5600"}]}}]}, "vendor_name": "anuko"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Anuko Time Tracker is an open source, web-based time tracking application written in PHP. When a logged on user selects a date in Time Tracker, it is being passed on via the date parameter in URI. Because of not checking this parameter for sanity in versions prior to 1.19.30.5600, it was possible to craft the URI with malicious JavaScript, use social engineering to convince logged on user to click on such link, and have the attacker-supplied JavaScript to be executed in user's browser. This issue is patched in version 1.19.30.5600. As a workaround, one may introduce `ttValidDbDateFormatDate` function as in the latest version and add a call to it within the access checks block in time.php."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}]}, "references": {"reference_data": [{"name": "https://github.com/anuko/timetracker/security/advisories/GHSA-h2v8-87c9-86cw", "refsource": "CONFIRM", "url": "https://github.com/anuko/timetracker/security/advisories/GHSA-h2v8-87c9-86cw"}, {"name": "https://github.com/anuko/timetracker/commit/559906731f153c9b3a632c2839ed11669b76d593", "refsource": "MISC", "url": "https://github.com/anuko/timetracker/commit/559906731f153c9b3a632c2839ed11669b76d593"}, {"name": "https://github.com/anuko/timetracker/commit/d3f60bd3e3ea8ff8ec31a596baec6750af601b7c", "refsource": "MISC", "url": "https://github.com/anuko/timetracker/commit/d3f60bd3e3ea8ff8ec31a596baec6750af601b7c"}]}, "source": {"advisory": "GHSA-h2v8-87c9-86cw", "discovery": "UNKNOWN"}}}}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-41139", "datePublished": "2021-10-13T17:10:10", "dateReserved": "2021-09-15T00:00:00", "dateUpdated": "2021-10-13T17:10:10", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:anuko:time_tracker:*:*:*:*:*:*:*:*", "matchCriteriaId": "C5A8B606-00BA-4ACD-8593-377DD978D2CE", "versionEndExcluding": "1.19.30.5600", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Anuko Time Tracker is an open source, web-based time tracking application written in PHP. When a logged on user selects a date in Time Tracker, it is being passed on via the date parameter in URI. Because of not checking this parameter for sanity in versions prior to 1.19.30.5600, it was possible to craft the URI with malicious JavaScript, use social engineering to convince logged on user to click on such link, and have the attacker-supplied JavaScript to be executed in user's browser. This issue is patched in version 1.19.30.5600. As a workaround, one may introduce `ttValidDbDateFormatDate` function as in the latest version and add a call to it within the access checks block in time.php."}, {"lang": "es", "value": "Anuko Time Tracker es una aplicaci\u00f3n de seguimiento de tiempo de c\u00f3digo abierto, basada en la web y escrita en PHP. Cuando un usuario conectado selecciona una fecha en Time Tracker, se pasa por medio del par\u00e1metro de fecha en URI. Debido a que no se comprobaba este par\u00e1metro para saneo en las versiones anteriores a 1.19.30.5600, era posible dise\u00f1ar el URI con JavaScript malicioso, usar ingenier\u00eda social para convencer al usuario conectado de que hiciera clic en dicho enlace y hacer que el JavaScript suministrado por el atacante se ejecutara en el navegador del usuario. Este problema est\u00e1 parcheado en la versi\u00f3n 1.19.30.5600. Como soluci\u00f3n, es posible introducir la funci\u00f3n \"ttValidDbDateFormatDate\" como en la \u00faltima versi\u00f3n y a\u00f1adir una llamada a la misma dentro del bloque de comprobaci\u00f3n de acceso en el archivo time.php"}], "id": "CVE-2021-41139", "lastModified": "2021-10-20T19:17:40.637", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2021-10-13T17:15:07.697", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/anuko/timetracker/commit/559906731f153c9b3a632c2839ed11669b76d593"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/anuko/timetracker/commit/d3f60bd3e3ea8ff8ec31a596baec6750af601b7c"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/anuko/timetracker/security/advisories/GHSA-h2v8-87c9-86cw"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}