CVE Vulnerability

CVE-2021-21352

Anuko Time Tracker is an open source, web-based time tracking application written in PHP. In TimeTracker before version 1.19.24.5415 tokens used in password reset feature in Time Tracker are based on system time and, therefore, are predictable. This opens a window for brute force attacks to guess user tokens and, once successful, change user passwords, including that of a system administrator. This vulnerability is pathced in version 1.19.24.5415 (started to use more secure tokens) with an additional improvement in 1.19.24.5416 (limited an available window for brute force token guessing).

5 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 10 / Impact : 2.9

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

Scope

9.1 /10

CVSS v3.0 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://github.com/anuko/timetracker/security/advisories/GHSA-43c9-rx4h-4gqq Mitigation Third Party Advisory
https://github.com/anuko/timetracker/commit/40f3d9345adc20e6f28eb9f59e2489aff87fecf5 Patch Third Party Advisory
https://www.anuko.com/time-tracker/index.htm Vendor Advisory
Configurations

Configuration 1

cpe:2.3:a:anuko:time_tracker:*:*:*:*:*:*:*:*
Information

Published : 2021-03-03 01:15

Updated : 2021-03-09 03:51

NVD link : CVE-2021-21352

Mitre link : CVE-2021-21352

Products Affected
No products.
CWE
CWE-330