{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-10T21:36:58.190","vulnerabilities":[{"cve":{"id":"CVE-2021-43851","sourceIdentifier":"security-advisories@github.com","published":"2021-12-22T00:15:09.987","lastModified":"2024-11-21T06:29:55.813","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"Anuko Time Tracker is an open source, web-based time tracking application written in PHP. SQL injection vulnerability exist in multiple files in Time Tracker version 1.19.33.5606 and prior due to not properly checking of the \"group\" and \"status\" parameters in POST requests. Group parameter is posted along when navigating between organizational subgroups (groups.php file). Status parameter is used in multiple files to change a status of an entity such as making a project, task, or user inactive. This issue has been patched in version 1.19.33.5607. An upgrade is highly recommended. If an upgrade is not practical, introduce ttValidStatus function as in the latest version and start using it user input check blocks wherever status field is used. For groups.php fix, introduce ttValidInteger function as in the latest version and use it in the access check block in the file."},{"lang":"es","value":"Anuko Time Tracker es una aplicación de seguimiento del tiempo de código abierto, basada en la web y escrita en PHP. Se presenta una vulnerabilidad de inyección SQL en múltiples archivos de Time Tracker versión 1.19.33.5606 y anteriores, debido a que no se comprueban correctamente los parámetros \"group\" y \"status\" en las peticiones POST. El parámetro \"group\" es contabilizado cuando se navega entre subgrupos de la organización (archivo groups.php). El parámetro de estado es usado en varios archivos para cambiar el estado de una entidad, como por ejemplo, hacer que un proyecto, una tarea o un usuario estén inactivos. Este problema ha sido parcheado en la versión 1.19.33.5607. Se recomienda encarecidamente una actualización. Si la actualización no es práctica, introduzca la función ttValidStatus como en la última versión y comience a usarla en los bloques de comprobación de entrada de usuarios donde es usado el campo status. Para la corrección de groups.php, introduzca la función ttValidInteger como en la última versión y úsela en el bloque de comprobación de acceso del archivo"}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N","baseScore":8.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":5.2},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9}],"cvssMetricV2":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:L/Au:S/C:P/I:P/A:P","baseScore":6.5,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"SINGLE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL"},"baseSeverity":"MEDIUM","exploitabilityScore":8.0,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-89"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:anuko:time_tracker:*:*:*:*:*:*:*:*","versionEndExcluding":"1.19.33.5607","matchCriteriaId":"29EAC4EA-8F91-4D0F-89AF-6A1593DF42A8"}]}]}],"references":[{"url":"https://github.com/anuko/timetracker/commit/0cf32f1046418aa2e5218b0b370064820c330c6a","source":"security-advisories@github.com","tags":["Patch","Third Party Advisory"]},{"url":"https://github.com/anuko/timetracker/commit/94fda0cc0c9c20ab98d38ccc75ff040d13dc7f1b","source":"security-advisories@github.com","tags":["Patch","Third Party Advisory"]},{"url":"https://github.com/anuko/timetracker/security/advisories/GHSA-wx6x-6rq3-pqcc","source":"security-advisories@github.com","tags":["Third Party Advisory"]},{"url":"https://github.com/anuko/timetracker/commit/0cf32f1046418aa2e5218b0b370064820c330c6a","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch","Third Party Advisory"]},{"url":"https://github.com/anuko/timetracker/commit/94fda0cc0c9c20ab98d38ccc75ff040d13dc7f1b","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch","Third Party Advisory"]},{"url":"https://github.com/anuko/timetracker/security/advisories/GHSA-wx6x-6rq3-pqcc","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"]}]}}]}