{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-11T10:59:35.219","vulnerabilities":[{"cve":{"id":"CVE-2021-41139","sourceIdentifier":"security-advisories@github.com","published":"2021-10-13T17:15:07.697","lastModified":"2024-11-21T06:25:34.300","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"Anuko Time Tracker is an open source, web-based time tracking application written in PHP. When a logged on user selects a date in Time Tracker, it is being passed on via the date parameter in URI. Because of not checking this parameter for sanity in versions prior to 1.19.30.5600, it was possible to craft the URI with malicious JavaScript, use social engineering to convince logged on user to click on such link, and have the attacker-supplied JavaScript to be executed in user's browser. This issue is patched in version 1.19.30.5600. As a workaround, one may introduce `ttValidDbDateFormatDate` function as in the latest version and add a call to it within the access checks block in time.php."},{"lang":"es","value":"Anuko Time Tracker es una aplicación de seguimiento de tiempo de código abierto, basada en la web y escrita en PHP. Cuando un usuario conectado selecciona una fecha en Time Tracker, se pasa por medio del parámetro de fecha en URI. Debido a que no se comprobaba este parámetro para saneo en las versiones anteriores a 1.19.30.5600, era posible diseñar el URI con JavaScript malicioso, usar ingeniería social para convencer al usuario conectado de que hiciera clic en dicho enlace y hacer que el JavaScript suministrado por el atacante se ejecutara en el navegador del usuario. Este problema está parcheado en la versión 1.19.30.5600. Como solución, es posible introducir la función \"ttValidDbDateFormatDate\" como en la última versión y añadir una llamada a la misma dentro del bloque de comprobación de acceso en el archivo time.php"}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N","baseScore":8.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":5.2},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","baseScore":6.1,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":2.7}],"cvssMetricV2":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:N/I:P/A:N","baseScore":4.3,"accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"NONE"},"baseSeverity":"MEDIUM","exploitabilityScore":8.6,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":true}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-79"}]},{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-79"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:anuko:time_tracker:*:*:*:*:*:*:*:*","versionEndExcluding":"1.19.30.5600","matchCriteriaId":"C5A8B606-00BA-4ACD-8593-377DD978D2CE"}]}]}],"references":[{"url":"https://github.com/anuko/timetracker/commit/559906731f153c9b3a632c2839ed11669b76d593","source":"security-advisories@github.com","tags":["Patch","Third Party Advisory"]},{"url":"https://github.com/anuko/timetracker/commit/d3f60bd3e3ea8ff8ec31a596baec6750af601b7c","source":"security-advisories@github.com","tags":["Patch","Third Party Advisory"]},{"url":"https://github.com/anuko/timetracker/security/advisories/GHSA-h2v8-87c9-86cw","source":"security-advisories@github.com","tags":["Third Party Advisory"]},{"url":"https://github.com/anuko/timetracker/commit/559906731f153c9b3a632c2839ed11669b76d593","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch","Third Party Advisory"]},{"url":"https://github.com/anuko/timetracker/commit/d3f60bd3e3ea8ff8ec31a596baec6750af601b7c","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch","Third Party Advisory"]},{"url":"https://github.com/anuko/timetracker/security/advisories/GHSA-h2v8-87c9-86cw","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"]}]}}]}