Indevi0Us

**Name of the Vulnerable Software and Affected Versions** anuko timetracker versions prior to 1.22.11.5781 **Description** The issue is related to a Boolean-based blind SQL injection vulnerability in the invoices.php file of anuko timetracker, an open source time tracking system. This vulnerability existed due to a coding error after validating parameters in POST requests, where there was no check for errors before adjusting the invoice sorting order. As a result, it was possible to craft a POST request with malicious SQL for the Time Tracker database. **Recommendations** For versions prior to 1.22.11.5781, upgrade to version 1.22.11.5781 or later to resolve the issue. As a temporary workaround for users unable to upgrade, consider inserting an additional check for errors in a condition before calling `ttGroupHelper::getActiveInvoices()` in invoices.php.

**Name of the Vulnerable Software and Affected Versions** Time Tracker versions prior to 1.22.13.5792 **Description** A time-based blind injection issue existed in Time Tracker reports due to the `reports.php` page not validating all parameters in POST requests. This allowed malicious SQL to be crafted for the Time Tracker database. The issue is related to the lack of validation of parameters in POST requests, which could be exploited by crafting malicious requests. **Recommendations** For versions prior to 1.22.13.5792, update to version 1.22.13.5792 to resolve the issue. As a temporary workaround, consider using the fixed code in `ttReportHelper.class.php` from version 1.22.13.5792.

**Name of the Vulnerable Software and Affected Versions** Time Tracker versions 1.22.11.5782 and prior **Description** The week view plugin in Time Tracker was not escaping titles for notes in the week view table, allowing a logged-in user to enter notes with JavaScript elements. This could lead to the execution of scripts in the user's browser on subsequent requests to the week view. **Recommendations** For versions 1.22.11.5782 and prior, as a temporary workaround, consider using `htmlspecialchars` when calling `$field->setTitle` on line #245 in the `week.php` file until a patch is available. Update to version 1.22.12.5783 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** osTicket versions prior to 1.16.6 **Description** The issue is related to Cross-site Scripting (XSS) - Reflected, which was found in the GitHub repository osticket/osticket. **Recommendations** For versions prior to 1.16.6, update to version 1.16.6 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** osTicket versions prior to 1.16.6 **Description** The issue is related to Cross-site Scripting (XSS) - Stored, which affects the GitHub repository osticket/osticket. **Recommendations** For versions prior to 1.16.6, update to version 1.16.6 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** osticket versions prior to 1.16.6 **Description** The issue is related to Cross-site Scripting (XSS) - Generic. This is a type of security vulnerability that occurs when an application includes user input in its output without proper validation or encoding, allowing an attacker to inject malicious scripts into the application. **Recommendations** For versions prior to 1.16.6, update to version 1.16.6 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** osTicket versions prior to 1.16.6 **Description** The issue is related to Cross-site Scripting (XSS) - Reflected, which affects the GitHub repository osticket/osticket. **Recommendations** For versions prior to 1.16.6, update to version 1.16.6 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Anuko Time Tracker versions prior to 1.20.0.5646 **Description** Anuko Time Tracker is an open source, web-based time tracking application written in PHP. The issue arises from the `ttUser.class.php` file not escaping the primary group name for display, allowing a logged-in user to modify it with JavaScript elements. This could lead to the execution of scripts in a user's browser on subsequent requests to pages where the primary group name is displayed. **Recommendations** For versions prior to 1.20.0.5646, upgrade to version 1.20.0.5646 to resolve the issue. As a temporary workaround for users unable to upgrade, modify `ttUser.class.php` to use an additional call to `htmlspecialchars` when printing the group name.

**Name of the Vulnerable Software and Affected Versions** Anuko Time Tracker versions prior to 1.20.0.5642 **Description** The issue is related to the Time Tracker Puncher plugin, which reused code from other places and relied on an unsanitized `date` parameter in POST requests. This allowed for the crafting of malicious SQL requests for the Time Tracker database. The vulnerability can be exploited remotely, enabling an attacker to execute arbitrary SQL queries in the Time Tracker database. **Recommendations** For versions prior to 1.20.0.5642, upgrade to version 1.20.0.5642 to resolve the issue. For users unable to upgrade, add their own checks to input to mitigate the risk. As a temporary workaround, consider adding validation to the `date` parameter in POST requests to prevent malicious SQL injection.

Name of the Vulnerable Software and Affected Versions: Anuko Time Tracker versions 1.19.33.5606 and prior Description: Anuko Time Tracker is an open source, web-based time tracking application written in PHP. A SQL injection issue exists in multiple files due to improper checking of the `group` and `status` parameters in POST requests. The `group` parameter is used when navigating between organizational subgroups in the groups.php file. The `status` parameter is used in multiple files to change the status of an entity, such as making a project, task, or user inactive. This issue has been patched in version 1.19.33.5607. Recommendations: For versions 1.19.33.5606 and prior, upgrade to version 1.19.33.5607 or later. If an upgrade is not practical, introduce the ttValidStatus function as in the latest version and use it in user input check blocks wherever the `status` field is used. For the groups.php fix, introduce the ttValidInteger function as in the latest version and use it in the access check block in the file.

**Name of the Vulnerable Software and Affected Versions** anuko/timetracker versions prior to 1.19.30.5601 **Description** The issue concerns anuko/timetracker, an open-source time tracking system. In affected versions, the system uses a `browser today` hidden control to collect the current date from user browsers. Due to the lack of sanity checks on this parameter in versions prior to 1.19.30.5601, it is possible to craft an HTML form with malicious JavaScript. An attacker could use social engineering to convince logged-on users to execute a POST request from such a form, resulting in the execution of attacker-supplied JavaScript in the user's browser. **Recommendations** For versions prior to 1.19.30.5601, upgrade to version 1.19.30.5601 or later. If an upgrade is not practical, introduce the `ttValidDbDateFormatDate` function as in the latest version and add a call to it within the access checks block.

**Name of the Vulnerable Software and Affected Versions** Anuko Time Tracker versions prior to 1.19.30.5600 **Description** Anuko Time Tracker is a web-based time tracking application written in PHP. The application is vulnerable to an issue where a logged-on user's selection of a date can be manipulated by passing malicious JavaScript via the `date` parameter in the URI. This can be exploited using social engineering to convince the user to click on a crafted link, allowing the attacker-supplied JavaScript to be executed in the user's browser. **Recommendations** For versions prior to 1.19.30.5600, update to version 1.19.30.5600 to resolve the issue. As a temporary workaround, consider introducing the `ttValidDbDateFormatDate` function as in the latest version and add a call to it within the access checks block in time.php.

Name of the Vulnerable Software and Affected Versions: Anuko Time Tracker versions prior to 1.19.27.5431 Description: A Cross site request forgery (CSRF) issue exists, where a logged-on user may be tricked by social engineering into clicking on an attacker-provided form, potentially executing unintended actions, such as changing the user's password. Recommendations: For versions prior to 1.19.27.5431, upgrade to version 1.19.27.5431 to fix the issue. As a temporary workaround, introduce the `ttMitigateCSRF()` function in `/WEB-INF/lib/common.php.lib` using the latest available code and call it from `ttAccessAllowed()`.

**Name of the Vulnerable Software and Affected Versions** GLPI versions prior to 9.5.4 **Description** The issue allows creating tickets for another user with the self-service interface without having delegatee systems enabled. **Recommendations** For versions prior to 9.5.4, update to version 9.5.4 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** GLPI versions prior to 9.5.4 **Description** The issue concerns an Insecure Direct Object Reference (IDOR) on "Solutions" in GLPI. This allows an unauthorized user to enumerate GLPI items names, including users' logins, using the knowbase search form, which requires authentication. The exploitation involves modifying the `item itemtype` parameter in the URL of the `/glpi/front/knowbaseitem.php` endpoint to point to different tables, such as changing `Ticket` to `Users`, and guessing incremental IDs. **Recommendations** For versions prior to 9.5.4, update to version 9.5.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the knowbase search form and the `/glpi/front/knowbaseitem.php` endpoint to minimize the risk of exploitation. Avoid using the `item itemtype` and `item items id` parameters in the affected endpoint until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: GLPI versions 9.5.3 Description: GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI, it was possible to switch entities with IDOR from a logged in user. Recommendations: For GLPI version 9.5.3, update to version 9.5.4 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** GLPI versions prior to 9.5.3 **Description** The issue is related to an Insecure Direct Object Reference (IDOR) vulnerability in the ajax/comments.php file. This vulnerability allows an attacker to read data from any database table, such as glpi tickets or glpi users. **Recommendations** For versions prior to 9.5.3, update to version 9.5.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the ajax/comments.php file until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** GLPI versions prior to 9.5.3 **Description** The issue affects the ajax/getDropdownValue.php file, presenting an Insecure Direct Object Reference (IDOR) vulnerability. This allows an attacker to read data from any itemType, such as Ticket or Users. **Recommendations** For versions prior to 9.5.3, update to version 9.5.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the ajax/getDropdownValue.php file to minimize the risk of exploitation.