CVE-2023-32066 — MEDIUM (5.4)

Q: How severe is CVE-2023-32066?

CVE-2023-32066 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2023-32066?

Check the references section above for vendor advisories and patch information. Affected products include: Anuko Time Tracker.

Vulnerability Description

Time Tracker is an open source time tracking system. The week view plugin in Time Tracker versions 1.22.11.5782 and prior was not escaping titles for notes in week view table. Because of that, it was possible for a logged in user to enter notes with elements of JavaScript. Such script could then be executed in user browser on subsequent requests to week view. This issue is fixed in version 1.22.12.5783. As a workaround, use `htmlspecialchars` when calling `$field->setTitle` on line #245 in the `week.php` file, as happens in version 1.22.12.5783.

CVSS Score

5.4

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality

LOW

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Anuko	Time Tracker	< 1.22.12.5783

Related Weaknesses (CWE)

CWE-79

References

FAQ

What is CVE-2023-32066?

CVE-2023-32066 is a vulnerability with a CVSS score of 5.4 (MEDIUM). Time Tracker is an open source time tracking system. The week view plugin in Time Tracker versions 1.22.11.5782 and prior was not escaping titles for notes in week view table. Because of that, it was ...

How severe is CVE-2023-32066?

CVE-2023-32066 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2023-32066?

Check the references section above for vendor advisories and patch information. Affected products include: Anuko Time Tracker.