CVE-2021-43851 — HIGH (8.1)

Q: How severe is CVE-2021-43851?

CVE-2021-43851 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2021-43851?

Check the references section above for vendor advisories and patch information. Affected products include: Anuko Time Tracker.

Vulnerability Description

Anuko Time Tracker is an open source, web-based time tracking application written in PHP. SQL injection vulnerability exist in multiple files in Time Tracker version 1.19.33.5606 and prior due to not properly checking of the "group" and "status" parameters in POST requests. Group parameter is posted along when navigating between organizational subgroups (groups.php file). Status parameter is used in multiple files to change a status of an entity such as making a project, task, or user inactive. This issue has been patched in version 1.19.33.5607. An upgrade is highly recommended. If an upgrade is not practical, introduce ttValidStatus function as in the latest version and start using it user input check blocks wherever status field is used. For groups.php fix, introduce ttValidInteger function as in the latest version and use it in the access check block in the file.

CVSS Score

8.1

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Anuko	Time Tracker	< 1.19.33.5607

Related Weaknesses (CWE)

CWE-89

References

https://github.com/anuko/timetracker/commit/0cf32f1046418aa2e5218b0b370064820c33PatchThird Party Advisory
https://github.com/anuko/timetracker/commit/94fda0cc0c9c20ab98d38ccc75ff040d13dcPatchThird Party Advisory
https://github.com/anuko/timetracker/security/advisories/GHSA-wx6x-6rq3-pqccThird Party Advisory
https://github.com/anuko/timetracker/commit/0cf32f1046418aa2e5218b0b370064820c33PatchThird Party Advisory
https://github.com/anuko/timetracker/commit/94fda0cc0c9c20ab98d38ccc75ff040d13dcPatchThird Party Advisory
https://github.com/anuko/timetracker/security/advisories/GHSA-wx6x-6rq3-pqccThird Party Advisory

FAQ

What is CVE-2021-43851?

CVE-2021-43851 is a vulnerability with a CVSS score of 8.1 (HIGH). Anuko Time Tracker is an open source, web-based time tracking application written in PHP. SQL injection vulnerability exist in multiple files in Time Tracker version 1.19.33.5606 and prior due to not ...

How severe is CVE-2021-43851?

CVE-2021-43851 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-43851?

Check the references section above for vendor advisories and patch information. Affected products include: Anuko Time Tracker.