{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-21T01:00:47.166","vulnerabilities":[{"cve":{"id":"CVE-2021-41156","sourceIdentifier":"security-advisories@github.com","published":"2021-10-18T21:15:08.547","lastModified":"2024-11-21T06:25:37.203","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"anuko/timetracker is an, open source time tracking system. In affected versions Time Tracker uses browser_today hidden control on a few pages to collect the today's date from user browsers. Because of not checking this parameter for sanity in versions prior to 1.19.30.5601, it was possible to craft an html form with malicious JavaScript, use social engineering to convince logged on users to execute a POST from such form, and have the attacker-supplied JavaScript to be executed in user's browser. This has been patched in version 1.19.30.5600. Upgrade is recommended. If it is not practical, introduce ttValidDbDateFormatDate function as in the latest version and add a call to it within the access checks block."},{"lang":"es","value":"anuko/timetracker es un sistema de seguimiento de tiempo de código abierto. En las versiones afectadas Time Tracker usa el control oculto browser_today en algunas páginas para recoger la fecha de hoy de los navegadores de los usuarios. Debido a que no era comprobada el saneo de este parámetro en las versiones anteriores a 1.19.30.5601, era posible diseñar un formulario html con JavaScript malicioso, usar la ingeniería social para convencer a usuarios registrados de que ejecutaran un POST desde dicho formulario y hacer que el JavaScript suministrado por el atacante sea ejecutado en el navegador del usuario. Esto ha sido parcheado en la versión 1.19.30.5600. Se recomienda la actualización. Si no es práctico, introduzca la función ttValidDbDateFormatDate como en la última versión y añada una llamada a ella dentro del bloque de comprobación de acceso"}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N","baseScore":6.8,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.3,"impactScore":4.0},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N","baseScore":5.4,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.3,"impactScore":2.7}],"cvssMetricV2":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:M/Au:S/C:N/I:P/A:N","baseScore":3.5,"accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"SINGLE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"NONE"},"baseSeverity":"LOW","exploitabilityScore":6.8,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":true}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-79"}]},{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-79"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:timetracker_project:timetracker:*:*:*:*:*:*:*:*","versionEndExcluding":"1.19.30.5601","matchCriteriaId":"D02C4869-D43E-45E0-814A-000F77A76BCD"}]}]}],"references":[{"url":"https://github.com/anuko/timetracker/security/advisories/GHSA-g9cc-m4p4-6xpc","source":"security-advisories@github.com","tags":["Third Party Advisory"]},{"url":"https://github.com/anuko/timetracker/security/advisories/GHSA-g9cc-m4p4-6xpc","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"]}]}}]}