CVE-2023-32308

CVSS V2 None CVSS V3 None
Description
anuko timetracker is an open source time tracking system. Boolean-based blind SQL injection vulnerability existed in Time Tracker invoices.php in versions prior to 1.22.11.5781. This was happening because of a coding error after validating parameters in POST requests. There was no check for errors before adjusting invoice sorting order. Because of this, it was possible to craft a POST request with malicious SQL for Time Tracker database. This issue has been fixed in version 1.22.11.5781. Users are advised to upgrade. Users unable to upgrade may insert an additional check for errors in a condition before calling `ttGroupHelper::getActiveInvoices()` in invoices.php.
Overview
  • CVE ID
  • CVE-2023-32308
  • Assigner
  • security-advisories@github.com
  • Vulnerability Status
  • Received
  • Published Version
  • 2023-05-15T21:15:09
  • Last Modified Date
  • 2023-05-15T21:15:09
Weakness Enumerations
CWE URL
CWE-89 http://cwe.mitre.org/data/definitions/89.html
References
Reference URL Reference Tags
https://github.com/anuko/timetracker/commit/8a7367d7f77ea697c090f5ca4e19669181cc7bcf
https://github.com/anuko/timetracker/security/advisories/GHSA-9g2c-7c7g-p58r
Sources
Source Name Source URL
NIST https://nvd.nist.gov/vuln/detail/CVE-2023-32308
MITRE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32308
History
Created Old Value New Value Data Type Notes
2023-05-15 22:00:30 Added to TrackCVE
2023-05-15 22:00:32 Weakness Enumeration new