{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-19T01:35:44.445","vulnerabilities":[{"cve":{"id":"CVE-2022-24707","sourceIdentifier":"security-advisories@github.com","published":"2022-02-24T16:15:08.240","lastModified":"2024-11-21T06:50:55.173","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"Anuko Time Tracker is an open source, web-based time tracking application written in PHP. UNION SQL injection and time-based blind injection vulnerabilities existed in Time Tracker Puncher plugin in versions of anuko timetracker prior to 1.20.0.5642. This was happening because the Puncher plugin was reusing code from other places and was relying on an unsanitized date parameter in POST requests. Because the parameter was not checked, it was possible to craft POST requests with malicious SQL for Time Tracker database. This issue has been resolved in in version 1.20.0.5642. Users unable to upgrade are advised to add their own checks to input."},{"lang":"es","value":"Anuko Time Tracker es una aplicación de seguimiento del tiempo basada en la web y de código abierto escrita en PHP. Unas vulnerabilidades de inyección SQL y de inyección ciega basada en el tiempo se presentan en el plugin Puncher de Time Tracker en anuko timetracker versiones anteriores a 1.20.0.5642. Esto ocurría porque el plugin Puncher reusaba código de otros lugares y era basado en un parámetro de fecha no saneado en las peticiones POST. Como el parámetro no era comprobado, era posible diseñar peticiones POST con SQL malicioso para la base de datos de Time Tracker. Este problema ha sido resuelto en versión 1.20.0.5642. Es recomendado a usuarios que no puedan actualizarse añadir sus propias comprobaciones a la entrada"}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L","baseScore":7.4,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"LOW"},"exploitabilityScore":3.1,"impactScore":3.7},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9}],"cvssMetricV2":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:L/Au:S/C:P/I:P/A:P","baseScore":6.5,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"SINGLE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL"},"baseSeverity":"MEDIUM","exploitabilityScore":8.0,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-89"}]},{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-89"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:anuko:time_tracker:*:*:*:*:*:*:*:*","versionEndExcluding":"1.20.0.5642","matchCriteriaId":"A560E137-D2F9-40B5-9EFB-9FAF4B1FF0C1"}]}]}],"references":[{"url":"http://packetstormsecurity.com/files/167060/Anuko-Time-Tracker-1.20.0.5640-SQL-Injection.html","source":"security-advisories@github.com","tags":["Exploit","Third Party Advisory","VDB Entry"]},{"url":"https://github.com/anuko/timetracker/commit/0e2d6563e2d969209c502a1eae4ddd8e87b73299","source":"security-advisories@github.com","tags":["Patch","Third Party Advisory"]},{"url":"https://github.com/anuko/timetracker/security/advisories/GHSA-wqx7-95fx-wjxj","source":"security-advisories@github.com","tags":["Third Party Advisory"]},{"url":"http://packetstormsecurity.com/files/167060/Anuko-Time-Tracker-1.20.0.5640-SQL-Injection.html","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Exploit","Third Party Advisory","VDB Entry"]},{"url":"https://github.com/anuko/timetracker/commit/0e2d6563e2d969209c502a1eae4ddd8e87b73299","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch","Third Party Advisory"]},{"url":"https://github.com/anuko/timetracker/security/advisories/GHSA-wqx7-95fx-wjxj","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"]}]}}]}