Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-32306: Blind SQL Injection Vulnerability in Reports

Time Tracker is an open source time tracking system. A time-based blind injection vulnerability existed in Time Tracker reports in versions prior to 1.22.13.5792. This was happening because the reports.php page was not validating all parameters in POST requests. Because some parameters were not checked, it was possible to craft POST requests with malicious SQL for Time Tracker database. This issue is fixed in version 1.22.13.5792. As a workaround, use the fixed code in ttReportHelper.class.php from version 1.22.13.5792.

CVE
Open in Source
#sql#vulnerability#web#php

Impact

Time-based blind SQL injection vulnerability existed in Time Tracker reports in versions prior to 1.22.13.5792. This was happening because the reports.php page was not validating all parameters in POST requests. Because some parameters were not checked, it was possible to craft a POST request with malicious SQL for Time Tracker database.

Patches

Fixed in version 1.22.13.5792.

Workarounds

Upgrade is highly recommended. If it is not practical, use fixed code in ttReportHelper.class.php from version 1.22.13.5792.

References

We will publish more information about this on our website soon.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE