CVE-2023-32306 HIGH

CVE-2023-32306: Time Tracker has Blind SQL Injection Vulnerability in Reports

Vendor Anuko

Product timetracker

Weakness CWE-89 · SQLi

Published May 12, 2023

Last update January 23, 2025

View on NVD All CVEs

CVSS base score

8.8/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Time Tracker is an open source time tracking system. A time-based blind injection vulnerability existed in Time Tracker reports in versions prior to 1.22.13.5792. This was happening because the `reports.php` page was not validating all parameters in POST requests. Because some parameters were not checked, it was possible to craft POST requests with malicious SQL for Time Tracker database. This issue is fixed in version 1.22.13.5792. As a workaround, use the fixed code in `ttReportHelper.class.php` from version 1.22.13.5792.

Key dates

02Disclosure timeline

May 12, 2023 CVE published

January 23, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-32306 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/89.html

Related vulnerabilities

CVE-2023-32306: Time Tracker has Blind SQL Injection Vulnerability in Reports

01Description

02Disclosure timeline

03References

04Related CVE