CVE-2022-24708 - Vulnerability Details - OpenCVE

Anuko Time Tracker is an open source, web-based time tracking application written in PHP. ttUser.class.php in Time Tracker versions prior to 1.20.0.5646 was not escaping primary group name for display. Because of that, it was possible for a logged in user to modify primary group name with elements of JavaScript. Such script could then be executed in user browser on subsequent requests on pages where primary group name was displayed. This is vulnerability has been fixed in version 1.20.0.5646. Users who are unable to upgrade may modify ttUser.class.php to use an additional call to htmlspecialchars when printing group name.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Anuko	Time Tracker

Configuration 1 [-]

cpe:2.3:a:anuko:time_tracker:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/anuko/timetracker/commit/6aaad31630500d13b6c8459daa9f406fd5eb4330
https://github.com/anuko/timetracker/security/advisories/GHSA-rgcm-xgvj-5mqh

History

Wed, 23 Apr 2025 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2022-02-23T23:50:09.000Z

Updated: 2025-04-23T19:00:40.196Z

Reserved: 2022-02-10T00:00:00.000Z

Link: CVE-2022-24708

Vulnrichment

Updated: 2024-08-03T04:20:49.874Z

NVD

Status : Modified

Published: 2022-02-24T16:15:08.300

Modified: 2024-11-21T06:50:55.313

Link: CVE-2022-24708

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "timetracker", "vendor": "anuko", "versions": [{"status": "affected", "version": "< 1.20.0.5646"}]}], "descriptions": [{"lang": "en", "value": "Anuko Time Tracker is an open source, web-based time tracking application written in PHP. ttUser.class.php in Time Tracker versions prior to 1.20.0.5646 was not escaping primary group name for display. Because of that, it was possible for a logged in user to modify primary group name with elements of JavaScript. Such script could then be executed in user browser on subsequent requests on pages where primary group name was displayed. This is vulnerability has been fixed in version 1.20.0.5646. Users who are unable to upgrade may modify ttUser.class.php to use an additional call to htmlspecialchars when printing group name."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-02-23T23:50:09.000Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/anuko/timetracker/security/advisories/GHSA-rgcm-xgvj-5mqh"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/anuko/timetracker/commit/6aaad31630500d13b6c8459daa9f406fd5eb4330"}], "source": {"advisory": "GHSA-rgcm-xgvj-5mqh", "discovery": "UNKNOWN"}, "title": "Stored XSS vulnerability in anuko/timetracker", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2022-24708", "STATE": "PUBLIC", "TITLE": "Stored XSS vulnerability in anuko/timetracker"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "timetracker", "version": {"version_data": [{"version_value": "< 1.20.0.5646"}]}}]}, "vendor_name": "anuko"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Anuko Time Tracker is an open source, web-based time tracking application written in PHP. ttUser.class.php in Time Tracker versions prior to 1.20.0.5646 was not escaping primary group name for display. Because of that, it was possible for a logged in user to modify primary group name with elements of JavaScript. Such script could then be executed in user browser on subsequent requests on pages where primary group name was displayed. This is vulnerability has been fixed in version 1.20.0.5646. Users who are unable to upgrade may modify ttUser.class.php to use an additional call to htmlspecialchars when printing group name."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}]}, "references": {"reference_data": [{"name": "https://github.com/anuko/timetracker/security/advisories/GHSA-rgcm-xgvj-5mqh", "refsource": "CONFIRM", "url": "https://github.com/anuko/timetracker/security/advisories/GHSA-rgcm-xgvj-5mqh"}, {"name": "https://github.com/anuko/timetracker/commit/6aaad31630500d13b6c8459daa9f406fd5eb4330", "refsource": "MISC", "url": "https://github.com/anuko/timetracker/commit/6aaad31630500d13b6c8459daa9f406fd5eb4330"}]}, "source": {"advisory": "GHSA-rgcm-xgvj-5mqh", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T04:20:49.874Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/anuko/timetracker/security/advisories/GHSA-rgcm-xgvj-5mqh"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/anuko/timetracker/commit/6aaad31630500d13b6c8459daa9f406fd5eb4330"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-23T14:09:57.944603Z", "id": "CVE-2022-24708", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-23T19:00:40.196Z"}}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2022-24708", "datePublished": "2022-02-23T23:50:09.000Z", "dateReserved": "2022-02-10T00:00:00.000Z", "dateUpdated": "2025-04-23T19:00:40.196Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/anuko/timetracker/security/advisories/GHSA-rgcm-xgvj-5mqh", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/anuko/timetracker/commit/6aaad31630500d13b6c8459daa9f406fd5eb4330", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T04:20:49.874Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-24708", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-23T14:09:57.944603Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-23T14:09:59.477Z"}}], "cna": {"title": "Stored XSS vulnerability in anuko/timetracker", "source": {"advisory": "GHSA-rgcm-xgvj-5mqh", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "anuko", "product": "timetracker", "versions": [{"status": "affected", "version": "< 1.20.0.5646"}]}], "references": [{"url": "https://github.com/anuko/timetracker/security/advisories/GHSA-rgcm-xgvj-5mqh", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/anuko/timetracker/commit/6aaad31630500d13b6c8459daa9f406fd5eb4330", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Anuko Time Tracker is an open source, web-based time tracking application written in PHP. ttUser.class.php in Time Tracker versions prior to 1.20.0.5646 was not escaping primary group name for display. Because of that, it was possible for a logged in user to modify primary group name with elements of JavaScript. Such script could then be executed in user browser on subsequent requests on pages where primary group name was displayed. This is vulnerability has been fixed in version 1.20.0.5646. Users who are unable to upgrade may modify ttUser.class.php to use an additional call to htmlspecialchars when printing group name."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2022-02-23T23:50:09.000Z"}, "x_legacyV4Record": {"impact": {"cvss": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, "source": {"advisory": "GHSA-rgcm-xgvj-5mqh", "discovery": "UNKNOWN"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "< 1.20.0.5646"}]}, "product_name": "timetracker"}]}, "vendor_name": "anuko"}]}}, "data_type": "CVE", "references": {"reference_data": [{"url": "https://github.com/anuko/timetracker/security/advisories/GHSA-rgcm-xgvj-5mqh", "name": "https://github.com/anuko/timetracker/security/advisories/GHSA-rgcm-xgvj-5mqh", "refsource": "CONFIRM"}, {"url": "https://github.com/anuko/timetracker/commit/6aaad31630500d13b6c8459daa9f406fd5eb4330", "name": "https://github.com/anuko/timetracker/commit/6aaad31630500d13b6c8459daa9f406fd5eb4330", "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "eng", "value": "Anuko Time Tracker is an open source, web-based time tracking application written in PHP. ttUser.class.php in Time Tracker versions prior to 1.20.0.5646 was not escaping primary group name for display. Because of that, it was possible for a logged in user to modify primary group name with elements of JavaScript. Such script could then be executed in user browser on subsequent requests on pages where primary group name was displayed. This is vulnerability has been fixed in version 1.20.0.5646. Users who are unable to upgrade may modify ttUser.class.php to use an additional call to htmlspecialchars when printing group name."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2022-24708", "STATE": "PUBLIC", "TITLE": "Stored XSS vulnerability in anuko/timetracker", "ASSIGNER": "security-advisories@github.com"}}}}, "cveMetadata": {"cveId": "CVE-2022-24708", "state": "PUBLISHED", "dateUpdated": "2025-04-23T19:00:40.196Z", "dateReserved": "2022-02-10T00:00:00.000Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2022-02-23T23:50:09.000Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:anuko:time_tracker:*:*:*:*:*:*:*:*", "matchCriteriaId": "BBE3E8DC-1EF3-451E-B15C-868B6DF653E6", "versionEndExcluding": "1.20.0.5646", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Anuko Time Tracker is an open source, web-based time tracking application written in PHP. ttUser.class.php in Time Tracker versions prior to 1.20.0.5646 was not escaping primary group name for display. Because of that, it was possible for a logged in user to modify primary group name with elements of JavaScript. Such script could then be executed in user browser on subsequent requests on pages where primary group name was displayed. This is vulnerability has been fixed in version 1.20.0.5646. Users who are unable to upgrade may modify ttUser.class.php to use an additional call to htmlspecialchars when printing group name."}, {"lang": "es", "value": "Anuko Time Tracker es una aplicaci\u00f3n de seguimiento del tiempo basada en la web y de c\u00f3digo abierto escrita en PHP. ttUser.class.php en Time Tracker versiones anteriores a 1.20.0.5646, no escapaba el nombre del grupo primario para su visualizaci\u00f3n. Debido a esto, era posible que un usuario conectado modificara el nombre del grupo primario con elementos de JavaScript. Dicho script pod\u00eda ser ejecutado en el navegador del usuario en peticiones posteriores en p\u00e1ginas donde fuera mostrado el nombre del grupo primario. Esta vulnerabilidad ha sido corregida en versi\u00f3n 1.20.0.5646. Los usuarios que no puedan actualizar pueden modificar ttUser.class.php para usar una llamada adicional a htmlspecialchars cuando es impreso el nombre del grupo"}], "id": "CVE-2022-24708", "lastModified": "2024-11-21T06:50:55.313", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 3.7, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-02-24T16:15:08.300", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/anuko/timetracker/commit/6aaad31630500d13b6c8459daa9f406fd5eb4330"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/anuko/timetracker/security/advisories/GHSA-rgcm-xgvj-5mqh"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/anuko/timetracker/commit/6aaad31630500d13b6c8459daa9f406fd5eb4330"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/anuko/timetracker/security/advisories/GHSA-rgcm-xgvj-5mqh"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Secondary"}]}