CVE-2021-41139

Name of the Vulnerable Software and Affected Versions Anuko Time Tracker versions prior to 1.19.30.5600

Description Anuko Time Tracker is a web-based time tracking application written in PHP. The application is vulnerable to an issue where a logged-on user's selection of a date can be manipulated by passing malicious JavaScript via the date parameter in the URI. This can be exploited using social engineering to convince the user to click on a crafted link, allowing the attacker-supplied JavaScript to be executed in the user's browser.

Recommendations For versions prior to 1.19.30.5600, update to version 1.19.30.5600 to resolve the issue. As a temporary workaround, consider introducing the ttValidDbDateFormatDate function as in the latest version and add a call to it within the access checks block in time.php.