Home Contact Buy
Sitemap Contact
Home Time Tracker Consulting Download Video Free Buy Sitemap Contact

Forum

Is TaskBar still broken?

Cannot Add New Clock or Change City Window 11

[SOLVED] Forgot Password -> Error 500

[SOLVED] Unable to send mail

installation problem : MDB2 Error: unknown error

the "actual" time of arrival & departure

work permit request

Time Tracker UPGRADE INSTRUCTIONS

News

11 May 2023
CVE-2023-32306 - Time-based blind SQL injection in reports
8 May 2023
CVE-2023-32066 - Stored XSS vulnerability in Week View
8 May 2023
CVE-2023-32308 - SQL injection vulnerability in Invoices
24 Feb 2023
Hide and show desktop clocks with a shortcut key
5 Feb 2023
World Clock desktop templates for forex
4 Feb 2023
World Clock desktop templates for GMT
6 Nov 2022
Charts for Favorite Reports
27 Oct 2022
Time Tracker 1.22 Released

Stored XSS Vulnerability in Week View

CVE-2023-32066.

Week view plugin in Time Tracker versions 1.22.11.5782 and prior was not escaping titles for notes in week view table. Titles are displayed in tooltips on mouse hover over in week note cells, allowing to see a complete text for notes. Because of no escaping, it was possible for a logged in user to enter notes with elements of JavaScript. Such script could then be executed in user browser on subsequent requests to week view.

Patches

The vulnerability was fixed in version 1.22.12.5783.

Workarounds

Use htmlspecialchars when calling $field->setTitle on line #245 in week.php file as in version 1.22.12.5783. The fixed line should look like this:
$field->setTitle(htmlspecialchars($table->getValueAt($row,$column)['note']));

Support

If you need help with upgrading or migrating your system you can order paid support. We can also host Time Tracker for your organization on our servers. If you have any questions feel free to contact us.

Home Download Video Free Buy Legal Sitemap Contact
Login
Hosting and content management by Anuko