CVE-2023-32308

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-32308

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-32308.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2023-32308

Aliases

GHSA-9g2c-7c7g-p58r

Published

2023-05-15T20:47:06.537Z

Modified

2025-11-29T14:15:41.718753Z

Severity

8.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L CVSS Calculator

Summary

SQL Injection Vulnerability in anuko timetracker

Details

anuko timetracker is an open source time tracking system. Boolean-based blind SQL injection vulnerability existed in Time Tracker invoices.php in versions prior to 1.22.11.5781. This was happening because of a coding error after validating parameters in POST requests. There was no check for errors before adjusting invoice sorting order. Because of this, it was possible to craft a POST request with malicious SQL for Time Tracker database. This issue has been fixed in version 1.22.11.5781. Users are advised to upgrade. Users unable to upgrade may insert an additional check for errors in a condition before calling ttGroupHelper::getActiveInvoices() in invoices.php.

Database specific

{
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/32xxx/CVE-2023-32308.json",
    "cwe_ids": [
        "CWE-89"
    ]
}

References

Affected packages

Git / github.com/anuko/timetracker

Affected ranges

Type: GIT
Repo: https://github.com/anuko/timetracker
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

8a7367d7f77ea697c090f5ca4e19669181cc7bcf