Skip to content

Stored XSS vulnerability in Week View plugin

Low
anuko published GHSA-jw2g-8wvp-9frw May 8, 2023

Package

week.php

Affected versions

< 1.22.12.5783

Patched versions

1.22.12.5783

Description

Impact

Week view plugin in Time Tracker versions 1.22.11.5782 and prior was not escaping titles for notes in week view table. Because of that, it was possible for a logged in user to enter notes with elements of JavaScript. Such script could then be executed in user browser on subsequent requests to week view.

Patches

Fixed in version 1.22.12.5783.

Workarounds

Use htmlspecialchars when calling $field->setTitle on line #245 in week.php file as in version 1.22.12.5783.

References

More information is available on Anuko website at https://www.anuko.com/time-tracker/news/stored-xss-vulnerability-in-week-view.htm

Severity

Low

CVE ID

CVE-2023-32066

Weaknesses

No CWEs

Credits