PT-2021-14437 · Anuko · Anuko Time Tracker

Published

2021-03-03

Updated

2021-03-09

CVE-2021-21352

CVSS v3.1

9.1

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Name of the Vulnerable Software and Affected Versions Anuko Time Tracker versions prior to 1.19.24.5415

Description The issue affects the password reset feature, where tokens are based on system time, making them predictable. This predictability allows for brute force attacks to guess user tokens, potentially leading to unauthorized password changes, including those of system administrators.

Recommendations For versions prior to 1.19.24.5415, update to version 1.19.24.5415 or later to use more secure tokens and limit the window for brute force token guessing. As a temporary workaround, consider restricting access to the password reset feature until the update is applied.

Fix

Use of Insufficiently Random Values

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-330

Related Identifiers

CVE-2021-21352

GHSA-43C9-RX4H-4GQQ

Affected Products

Anuko Time Tracker

PT-2021-14437 · Anuko · Anuko Time Tracker

CVE-2021-21352

Weakness Enumeration

Related Identifiers

Affected Products

References · 7