Skip to content

Blind SQL Injection Vulnerability in Reports

High
anuko published GHSA-758x-vg7g-j9j3 May 12, 2023

Package

No package listed

Affected versions

< 1.22.13.5792

Patched versions

1.22.13.5792

Description

Impact

Time-based blind SQL injection vulnerability existed in Time Tracker reports in versions prior to 1.22.13.5792. This was happening because the reports.php page was not validating all parameters in POST requests. Because some parameters were not checked, it was possible to craft a POST request with malicious SQL for Time Tracker database.

Patches

Fixed in version 1.22.13.5792.

Workarounds

Upgrade is highly recommended. If it is not practical, use fixed code in ttReportHelper.class.php from version 1.22.13.5792.

References

More information is available on Anuko website at https://www.anuko.com/time-tracker/news/time-based-blind-sql-injection-in-reports.htm

Severity

High

CVE ID

CVE-2023-32306

Weaknesses

No CWEs

Credits