cvedb.io
CVE-2021-43851
HIGH · CVSS 8.1
EPSS exploitation probability: 0%
Published 2021-12-22T00:15:09.987 · Last modified 2026-06-17T04:11:34.283

Summary

Anuko Time Tracker is an open source, web-based time tracking application written in PHP. SQL injection vulnerability exist in multiple files in Time Tracker version 1.19.33.5606 and prior due to not properly checking of the "group" and "status" parameters in POST requests. Group parameter is posted along when navigating between organizational subgroups (groups.php file). Status parameter is used in multiple files to change a status of an entity such as making a project, task, or user inactive. This issue has been patched in version 1.19.33.5607. An upgrade is highly recommended. If an upgrade is not practical, introduce ttValidStatus function as in the latest version and start using it user input check blocks wherever status field is used. For groups.php fix, introduce ttValidInteger func

Affected products

anuko — time_tracker

Does this affect you?

Add your gear to cvedb and we'll alert you only when anuko ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.